* Fix a logic error in configure.ac that prevented --with-selinux=no
  from being used with --with-secdriver-selinux=no.

* Fix some strings to clarify the difference between --with-selinux
  and --with-secdriver-selinux.
Signed-off-by: NSpencer Shimko <sshimko@tresys.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

* configure.ac (STATIC_ANALYSIS): Define when run via clang's
scan-build or coverity-prevent's cov-build.
Use the CLANG_CC and COVERITY_BUILD_COMMAND envvars as witnesses.

I am getting rid of determining the path to necessary CLI tools at
compile time. Instead, now the firewall driver has an initialization
function that uses virFindFileInPath() to determine the path to
necessary CLI tools and a shutdown function to free allocated memory.
The rest of the patch mostly deals with availability of the CLI tools
and to not call certain code blocks if a tool is not available and that
strings now have to be built slightly differently.

* configure.ac docs/news.html.in libvirt.spec.in src/libvirt_public.syms:
  updates for release of 0.8.0
* po/*.po po/libvirt.pot: updated a lar set of localizations, and merge
  the messages

The MinGW linker needs the libvirt.def file.

The network filter / snapshot / hooks code introduced some
non-portable pices that broke the win32 build

* configure.ac: Check for net/ethernet.h required by nwfile config
   parsing code
* src/conf/nwfilter_conf.c: Define ethernet protocol  constants
  if net/ethernet.h is missing
* src/util/hooks.c: Disable hooks build on Win32 since it lacks
  fork/exec/pipe
* src/util/threads-win32.c: Fix unchecked return value
* tools/virsh.c: Disable SIGPIPE on Win32 since it doesn't exist.
  Fix non-portable strftime() formats

Just checking for a windres tool might hit even on Linux systems when
building for Linux (e.g.: when using Gentoo and having built binutils
with multitarget support), and will then fail to link properly at the
end of the build.

* configure.ac: Avoid searching for windres on non windows target

This patch implements support for learning a VM's IP address. It uses
the pcap library to listen on the VM's backend network interface (tap)
or the physical ethernet device (macvtap) and tries to capture packets
with source or destination MAC address of the VM and learn from DHCP
Offers, ARP traffic, or first-sent IPv4 packet what the IP address of
the VM's interface is. This then allows to instantiate the network
traffic filtering rules without the user having to provide the IP
parameter somewhere in the filter description or in the interface
description as a parameter. This only supports to detect the parameter
IP, which is for the assumed single IPv4 address of a VM. There is not
support for interfaces that may have multiple  IP addresses (IP
aliasing) or IPv6 that may then require more than one valid IP address
to be detected. A VM can have multiple independent interfaces that each
uses a different IP address and in that case it will be attempted to
detect each one of the address independently.

So, when for example an interface description in the domain XML has
looked like this up to now:

    <interface type='bridge'>
      <source bridge='mybridge'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value='10.2.3.4'/>
      </filterref>
    </interface>

you may omit the IP parameter:

    <interface type='bridge'>
      <source bridge='mybridge'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'/>
    </interface>

Internally I am walking the 'tree' of a VM's referenced network filters
and determine with the given variables which variables are missing. Now,
the above IP parameter may be missing and this causes a libvirt-internal
thread to be started that uses the pcap library's API to listen to the
backend interface  (in case of macvtap to the physical interface) in an
attempt to determine the missing IP parameter. If the backend interface
disappears the thread terminates assuming the VM was brought down. In
case of a macvtap device a timeout is being used to wait for packets
from the given VM (filtering by VM's interface MAC address). If the VM's
macvtap device disappeared the thread also terminates. In all other
cases it tries to determine the IP address of the VM and will then apply
the rules late on the given interface, which would have happened
immediately if the IP parameter had been explicitly given. In case an
error happens while the firewall rules are applied, the VM's backend
interface is 'down'ed preventing it to communicate. Reasons for failure
for applying the network firewall rules may that an ebtables/iptables
command failes or OOM errors. Essentially the same failure reasons may
occur as when the firewall rules are applied immediately on VM start,
except that due to the late application of the filtering rules the VM
now is already running and cannot be hindered anymore from starting.
Bringing down the whole VM would probably be considered too drastic.
While a VM's IP address is attempted to be determined only limited
updates to network filters are allowed. In particular it is prevented
that filters are modified in such a way that they would introduce new
variables.

A caveat: The algorithm does not know which one is the appropriate IP
address of a VM. If the VM spoofs an IP address in its first ARP traffic
or IPv4 packets its filtering rules will be instantiated for this IP
address, thus 'locking' it to the found IP address. So, it's still
'safer' to explicitly provide the IP address of a VM's interface in the
filter description if it is known beforehand.

* configure.ac: detect libpcap
* libvirt.spec.in: require libpcap[-devel] if qemu is built
* src/internal.h: add the new ATTRIBUTE_PACKED define
* src/Makefile.am src/libvirt_private.syms: add the new modules and symbols
* src/nwfilter/nwfilter_learnipaddr.[ch]: new module being added
* src/nwfilter/nwfilter_driver.c src/conf/nwfilter_conf.[ch]
  src/nwfilter/nwfilter_ebiptables_driver.[ch]
  src/nwfilter/nwfilter_gentech_driver.[ch]: plu the new functionality in
* tests/nwfilterxml2xmltest: extend testing

* cfg.mk (sc_prohibit_test_minus_ao): Also check for [.
* docs/Makefile.am (%.html, html/index.html): Avoid non-portable
test usage.
* libvirt.spec.in (%post): Likewise.
* tools/virt-pki-validate.in (servercert.pem): Likewise.
* configure.ac (LOGNAME): Use test, not [, in files processed by
autoconf.
Detected by Matthias Bolte.

This patch adds IPv6 filtering support for the following protocols:
- tcp-ipv6
- udp-ipv6
- udplite-ipv6
- esp-ipv6
- ah-ipv6
- sctp-ipv6
- all-ipv6
- icmpv6

Many of the IPv4 data structure could be re-used for IPv6 support.
Since ip6tables also supports pretty much the same command line parameters
as iptables does, also much of the code could be re-used and now
command lines are invoked with the ip(6)tables tool parameter passed
through the functions as a parameter.

This patch adds some example filters to libvirt. They are automatically
installed into the proper directory for libvirt to pick them up.

This patch adds support for L3/L4 filtering using iptables. This adds
support for 'tcp', 'udp', 'icmp', 'igmp', 'sctp' etc. filtering.

As mentioned in the introduction, a .c file provided by this patch
is #include'd into a .c file. This will need work, but should be alright
for review.
Signed-off-by: NStefan Berger <stefanb@us.ibm.com>

This patch implements the core driver and provides
- management functionality for managing the filter XMLs
- compiling the internal filter representation into ebtables rules
- applying ebtables rules on a network (tap,macvtap) interface
- tearing down ebtables rules that were applied on behalf of an
interface
- updating of filters while VMs are running and causing the firewalls to
be rebuilt
- other bits and pieces
Signed-off-by: NStefan Berger <stefanb@us.ibm.com>

* configure.ac: Use "test cond1 || test cond2" instead.
* m4/compiler-flags.m4 (gl_COMPILER_FLAGS): Likewise.
* tests/test-lib.sh (verbose): Likewise.

* configure.ac: Use "test cond1 && test cond2" instead.

Use the __declspec(dllexport/dllimport) stuff to export the symbol,
otherwise accessing virConnectAuthPtrDefault triggers a segfault.

* configure.ac: fix the header test used for macvtap availability
  detection

* configure.ac libvirt.spec.in: update with new version
* docs/news.html.in: add list of changes in 0.7.7
* po/*po*: updated spanish and russian localisations, rebuilt

With the recent changes to the linking defaults in Fedora 13 (namely
enabling --no-add-needed behaviour by default), we have to pass the
dlopen()-providing libraries directly at the link of the module; use the
same AC_SEARCH_LIBS function as used before to look for it and add it to
the Makefile.

Instead of using AC_CHECK_LIB and hardcoding -ldl, search for the library
needed to get dlopen() and then use the cached value.

* We are reverting this patch pending a discussion of the right way to implement.

* configure.ac: Fix typos:
s/DRIVER_MODULES_CFLAGS/DRIVER_MODULE_CFLAGS/
s/DRIVER_MODULES_LIBS/DRIVER_MODULE_LIBS/

since we're using gettext-0.14.1, which uses that now-obsolete
automake symbol.  Otherwise, make distcheck would fails like this:

    make[2]: Entering directory `/t/libvirt-0.7.6/_build/po'
    /bin/sh @MKINSTALLDIRS@ /t/libvirt-0.7.6/_inst/share
    /bin/sh: @MKINSTALLDIRS@: No such file or directory
    make[2]: *** [install-data-yes] Error 127

* configure.ac (MKINSTALLDIRS): Define.
For reference, we're currently hamstrung by our desire
to support RHEL5, which still uses gettext-0.14:
http://bugzilla.redhat.com/523713

Create the filesystem on the partition used by the pool
* configure.ac: check for mkfs availability
* libvirt.spec.in: add extra require on util-linux for mkfs
* src/storage/storage_backend_fs.c: run mkfs with the expected
  fs type when creating a filesystem pool

Silence a libtoolize warning.
*  configure.ac (AC_CONFIG_MACRO_DIR): Add.

This patch adds build support for libvirt checking for certain contents
of /usr/include/linux/if_link.h to see whether macvtap support is
compilable on that system. One can disable macvtap support in libvirt
via --without-macvtap passed to configure.
* configure.ac src/Makefile.am: new build support
* src/libvirt_macvtap.syms: list of exported symbols
* src/util/macvtap.c: empty module to not break compilation

* configure.ac docs/news.html.in libvirt.spec.in: version bump and doc
  updates
* po/*.po*: updated and regenerated the localizations

* configure.ac: reanmed configura.in, use AC_CONFIG_HEADERS instead of
  AM_CONFIG_HEADER

This ensures that ./configure will work fine if xen development packages
are not around, rather than fail. When passing ./configure --with-xen, the
lack of xen development packages become fatal.

Always use AC_HELP_STRING for the help text for options at ./configure,
so that the output is properly aligned.

Use proper quadrigraphs for outputting the brackets.

Always use autoconf-style [default=$foo] output to state the default, both
where it was stated before and where it wasn't.

This time, include Matthias Bolte notes regarding defaults, and removing
PFX specification from phyp.

Without this change, ./autogen.sh --disable-shared && make would
evoke a "can not build a shared library" failure for libvirtmod.la
due to the new use of libtool's -shared link option in
python/Makefile.am.  Now, --disable-shared also
disables building python.

* configure.in: Make --disable-shared imply --without-python and
silently override --with-python.
Improved by: Diego Elio Pettenò <flameeyes@gmail.com>

The option --with-sasl defaults to 'check', but an inverted test logic
lets the SASL check fail with an error instead of disabling SASL.
Fix the test logic so SASL support gets disabled if SASL is missing and
--with-sasl is set to check.

The testlogic for $PKG_CONFIG was inverted, checking for an empty string
before using PKG_CHECK_MODULES. Use -x instead of -z and add an else branch
to the if checking for $GNUTLS_FOUND = no to add -lgcrypt in case the
GnuTLS libraries are detected by pkg-config.

* configure.in: If you pass libraries in the LDFLAGS variable, and then
  try AC_CHECK_FUNCS to find whether a function is present or not,
  it'll fail badly when using the --as-needed linker flag. Instead,
  pass the libraries through the LIBS library, so that they are passed
  after the conftest.c source file and the tests are done properly.

* configure.in: With the previous logic, if libhal_get_all_devices
  function was not found, HAVE_HAL would be defined for the preprocessor
  but it wouldn't be enabled in automake conditionals, causing the final
  link to fail with missing references to HAL entries.

Each driver supporting CPU selection must fill in host CPU capabilities.
When filling them, drivers for hypervisors running on the same node as
libvirtd can use cpuNodeData() to obtain raw CPU data. Other drivers,
such as VMware, need to implement their own way of getting such data.
Raw data can be decoded into virCPUDefPtr using cpuDecode() function.

When implementing virConnectCompareCPU(), a hypervisor driver can just
call cpuCompareXML() function with host CPU capabilities.

For each guest for which a driver supports selecting CPU models, it must
set the appropriate feature in guest's capabilities:

    virCapabilitiesAddGuestFeature(guest, "cpuselection", 1, 0)

Actions needed when a domain is being created depend on whether the
hypervisor understands raw CPU data (currently CPUID for i686, x86_64
architectures) or symbolic names has to be used.

Typical use by hypervisors which prefer CPUID (such as VMware and Xen):

- convert guest CPU configuration from domain's XML into a set of raw
  data structures each representing one of the feature policies:

    cpuEncode(conn, architecture, guest_cpu_config,
              &forced_data, &required_data, &optional_data,
              &disabled_data, &forbidden_data)

- create a mask or whatever the hypervisor expects to see and pass it
  to the hypervisor

Typical use by hypervisors with symbolic model names (such as QEMU):

- get raw CPU data for a computed guest CPU:

    cpuGuestData(conn, host_cpu, guest_cpu_config, &data)

- decode raw data into virCPUDefPtr with a possible restriction on
  allowed model names:

    cpuDecode(conn, guest, data, n_allowed_models, allowed_models)

- pass guest->model and guest->features to the hypervisor

* src/cpu/cpu.c src/cpu/cpu.h src/cpu/cpu_generic.c
  src/cpu/cpu_generic.h src/cpu/cpu_map.c src/cpu/cpu_map.h
  src/cpu/cpu_x86.c src/cpu/cpu_x86.h src/cpu/cpu_x86_data.h
* configure.in: check for CPUID instruction
* src/Makefile.am: glue the new files in
* src/libvirt_private.syms: add new private symbols
* po/POTFILES.in: add new cpu files containing translatable strings