Experimentation showed that if virNetworkCreateXML() was called for a
network that was already defined, and then the network was
subsequently shutdown, the network would continue to be persistent
after the shutdown (expected/desired), but the original config would
be lost in favor of the transient config sent in with
virNetworkCreateXML() (which would then be the new persistent config)
(obviously unexpected/not desired).

To fix this, virNetworkObjAssignDef() has been changed to

1) properly save/free network->def and network->newDef for all the
various combinations of live/active/persistent, including some
combinations that were previously considered to be an error but didn't
need to be (e.g. setting a "live" config for a network that isn't yet
active but soon will be - that was previously considered an error,
even though in practice it can be very useful).

2) automatically set the persistent flag whenever a new non-live
config is assigned to the network (and clear it when the non-live
config is set to NULL). the libvirt network driver no longer directly
manipulates network->persistent, but instead relies entirely on
virNetworkObjAssignDef() to do the right thing automatically.

After this patch, the following sequence will behave as expected:

virNetworkDefineXML(X)
virNetworkCreateXML(X') (same name but some config different)
virNetworkDestroy(X)

At the end of these calls, the network config will remain as it was
after the initial virNetworkDefine(), whereas previously it would take
on the changes given during virNetworkCreateXML().

Another effect of this tighter coupling between a) setting a !live def
and b) setting/clearing the "persistent" flag, is that future patches
which change the details of network lifecycle management
(e.g. upcoming patches to fix detection of "active" networks when
libvirtd is restarted) will find it much more difficult to break
persistence functionality.

This fixes the following make rpm warning:

warning: Installed (but unpackaged) file(s) found:
   /usr/lib64/libvirt/connection-driver/libvirt_driver_nwfilter.so.0
   /usr/lib64/libvirt/connection-driver/libvirt_driver_nwfilter.so.0.0.0

introduced in comit 8d559864Signed-off-by: NDwight Engen <dwight.engen@oracle.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

Currently the driver only exposes the ability to connect to the serial console
of a Xen guest, which doesn't work for a PV guest. Since for an HVM guest the
serial devices are duplicated as consoles it is sufficient to just use the
console devices unconditionally.

Tested with the following bit of config XML:

<domain type='xen'>
  ...
  <devices>
    <console type='pty'>
      <target type='xen'/>
    </console>
  </devices>
</domain>

I have observed and tested this on ARM but I believe it also applies to x86 PV
guests.
Signed-off-by: NIan Campbell <ian.campbell@citrix.com>
Cc: Jim Fehlig <jfehlig@suse.com>
Cc: Dario Faggioli <dario.faggioli@citrix.com>
Cc: Clark Laughlin <clark.laughlin@linaro.org>

Signed-off-by: NDwight Engen <dwight.engen@oracle.com>

dlfcn.h does not exist on Win32 so must only be used
conditionally
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Remove all the left over code related to the direct invocation
of firewall-cmd/iptables/ip6tables/ebtables. This is all handled
by the virFirewallPtr APIs now.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Conver the ebiptablesDriverProbeStateMatch initialization
check to use the virFirewall APIs for querying iptables
version.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebtablesApplyNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebtablesApplyDropAllRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebtablesApplyDHCPOnlyRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebtablesApplyBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebiptablesTearNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebtablesRemoveBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebiptablesTearOldRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the nwfilter ebiptablesAllTeardown method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Convert the virebtables.{c,h} files to use the new virFirewall
APIs for changing ebtables rules.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The networkCheckRouteCollision, networkAddFirewallRules and
networkRemoveFirewallRules APIs all take a virNetworkObjPtr
instance, but only ever access the 'def' member. It thus
simplifies testing if the APIs are changed to just take a
virNetworkDefPtr instead
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Update the iptablesXXXX methods so that instead of directly
executing iptables commands, they populate rules in an
instance of virFirewallPtr. The bridge driver can thus
construct the ruleset and then invoke it in one operation
having rollback handled automatically.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.

This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

When a VM fails to launch due to error creating nwfilter
rules, we must avoid overwriting the original error when
tearing down the partially created rules.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The nwfilter ebiptables driver will build up commands to run in
two phases. The first phase contains all of the command, except
for the '-A' part. Instead it has a '%c' placeholder, along with
a '%s' placeholder for a position arg. The second phase than
substitutes these placeholders. The only values ever used for
these substitutions though is '-A' and '', so it is entirely
pointless. Remove the second phase entirely, since it will make
it harder to convert to the new firewall APIs
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The current nwfilter tech driver API has a 'createRuleInstance' method
which populates virNWFilterRuleInstPtr with a command line string
containing variable placeholders. The 'applyNewRules' method then
expands the variables and executes the commands. This split of
responsibility won't work when switching to the virFirewallPtr
APIs, since we can't just build up command line strings. This patch
this merges the functionality of 'createRuleInstance' into the
applyNewRules method.

The virNWFilterRuleInstPtr struct is changed from holding an array
of opaque pointers, into holding generic metadata about the rules
to be processed. In essence this is the result of taking a linked
set of virNWFilterDefPtr's and flattening the tree to get a list
of virNWFilterRuleDefPtr's. At the same time we must keep track of
any nested virNWFilterObjPtr instances, so that the locks are held
for the duration of the 'applyNewRules' method.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Later refactoring will change use of the virNWFilterRuleInstPtr struct.
Prepare for this by pushing use of the virNWFilterRuleInstPtr parameter
out of the ebtablesCreateRuleInstance and iptablesCreateRuleInstance
methods. Instead they simply string(s) with the constructed rule data.
The ebiptablesCreateRuleInstance method will make use of the
virNWFilterRuleInstPtr struct instead.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add virNWFilterRuleIsProtocol{Ethernet,IPv4,IPv6} helper methods
to avoid having to write a giant switch statements with many cases.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'displayRuleInstance' callback in the nwfilter tech driver
is never invoked, so can be deleted.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'removeRules' callback in the nwfilter tech driver is never
invoked, so can be deleted.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virNWFilterHashTable struct contains a virHashTable and
then a 'char **names' field which keeps a copy of all the
hash keys. Presumably this was intended to record the ordering
of the hash keys. No code ever uses this and the ordering is
mangled whenever a variable is removed from the hash, because
the last element in the list is copied into the middle of the
list when shrinking the array.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'virDomainNetType' is unused in every impl of the
virNWFilterRuleCreateInstance driver method. Remove it
from the code to avoid the dependancy on the external
enum.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virNWFilterTechDriver struct is nothing to do with the nwfilter
XML configuration. It stores data specific to the driver implementation
so should be in a header in the driver directory instead.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

If virNWFilterVarValueCreateSimple fails with OOM, then
'val' will be leaked by virNWFilterVarValueCreateSimpleCopyValue
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Commit c4206d7c fixed the overflow for running domains. However, we need
a similar check when setting migration speed on inactive domains.

At first look, it may seem the check in c4206d7c is now redundant but
qemuDomainMigrateSetMaxSpeed is not the only caller of
qemuMonitorSetMigrationSpeed so we need to check the bandwidth in both
places.

https://bugzilla.redhat.com/show_bug.cgi?id=1083483Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

Replace use of cpuMapOverride with virFileFindResource
to locate CPU map from build dir.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Replace virDriverModuleInitialize with virFileFindResource
usage.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Replace virLockManagerSetPluginDir with virFileFindResource
usage.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_iohelper
binary, use virFileFindResource to optionally find it in the current
build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_parthelper
binary, use virFileFindResource to optionally find it in the current
build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_lxc
binary set in the LXC driver capabilities, use virFileFindResource
to optionally find it in the current build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of hardcoding LIBEXECDIR as the location of the libvirt_iohelper
binary, use virFileFindResource to optionally find it in the current
build directory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>