- 19 7月, 2012 3 次提交
-
-
由 Daniel P. Berrange 提交于
Update the network filter driver to use virReportError instead of the virNWFilterReportError custom macro Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
This removes all the per-file error reporting macros from the code in src/conf/ Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 17 7月, 2012 3 次提交
-
-
由 Michal Privoznik 提交于
My previous patch wasn't complete as it converted from (unsigned char *) to (virMacAddrPtr *). It should be (virMacAddrPtr) only.
-
由 Michal Privoznik 提交于
The previous commit (387117ad) was incomplete leaving those who does not use libpcap with uncompilable sources beacuse of incomplete conversion of virNWFilterDHCPSnoopReq function.
-
由 Stefan Berger 提交于
Introduce new members in the virMacAddr 'class' - virMacAddrSet: set virMacAddr from a virMacAddr - virMacAddrSetRaw: setting virMacAddr from raw 6 byte MAC address buffer - virMacAddrGetRaw: writing virMacAddr into raw 6 byte MAC address buffer - virMacAddrCmp: comparing two virMacAddr - virMacAddrCmpRaw: comparing a virMacAddr with a raw 6 byte MAC address buffer then replace raw MAC addresses by replacing - 'unsigned char *' with virMacAddrPtr - 'unsigned char ... [VIR_MAC_BUFLEN]' with virMacAddr and introduce usage of above functions where necessary.
-
- 15 6月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
When libpcap is not available, the NWFilter driver provides a no-op stub for the DHCP snooping initialization. This was mistakenly returning '-1' instead of '0', so the entire driver initialization failed
-
- 02 6月, 2012 3 次提交
-
-
由 Stefan Berger 提交于
With support for multiple IP addresses per interface in place, this patch now adds support for multiple IP addresses per interface for the DHCP snooping code. Testing: Since the infrastructure I tested this with does not provide multiple IP addresses per MAC address (anymore), I either had to plug the VM's interface from the virtual bride connected directly to the infrastructure to virbr0 to get a 2nd IP address from dnsmasq (kill and run dhclient inside the VM) or changed the lease file (/var/run/libvirt/network/nwfilter.leases) and restart libvirtd to have a 2nd IP address on an existing interface. Note that dnsmasq can take a lease timeout parameter as part of the --dhcp-range command line parameter, so that timeouts can be tested that way (--dhcp-range 192.168.122.2,192.168.122.254,120). So, terminating and restarting dnsmasq with that parameter is another choice to watch an IP address disappear after 120 seconds. Regards, Stefan
-
由 Stefan Berger 提交于
The goal of this patch is to prepare for support for multiple IP addresses per interface in the DHCP snooping code. Move the code for the IP address map that maps interface names to IP addresses into their own file. Rename the functions on the way but otherwise leave the code as-is. Initialize this new layer separately before dependent layers (iplearning, dhcpsnooping) and shut it down after them.
-
由 Stefan Berger 提交于
This patch adds DHCP snooping support to libvirt. The learning method for IP addresses is specified by setting the "CTRL_IP_LEARNING" variable to one of "any" [default] (existing IP learning code), "none" (static only addresses) or "dhcp" (DHCP snooping). Active leases are saved in a lease file and reloaded on restart or HUP. The following interface XML activates and uses the DHCP snooping: <interface type='bridge'> <source bridge='virbr0'/> <filterref filter='clean-traffic'> <parameter name='CTRL_IP_LEARNING' value='dhcp'/> </filterref> </interface> All filters containing the variable 'IP' are automatically adjusted when the VM receives an IP address via DHCP. However, multiple IP addresses per interface are silently ignored in this patch, thus only supporting one IP address per interface. Multiple IP address support is added in a later patch in this series. Signed-off-by: NDavid L Stevens <dlstevens@us.ibm.com> Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
- 28 5月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Remove the uid param from virGetUserConfigDirectory, virGetUserCacheDirectory, virGetUserRuntimeDirectory, and virGetUserDirectory These functions were universally called with the results of getuid() or geteuid(). To make it practical to port to Win32, remove the uid parameter and hardcode geteuid() Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 21 5月, 2012 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds support for the recent ipset iptables extension to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets' of IP addresses, ports and other packet parameters and allows for faster lookup (in the order of O(1) vs. O(n)) and rule evaluation to achieve higher throughput than what can be achieved with individual iptables rules. On the command line iptables supports ipset using iptables ... -m set --match-set <ipset name> <flags> -j ... where 'ipset name' is the name of a previously created ipset and flags is a comma-separated list of up to 6 flags. Flags use 'src' and 'dst' for selecting IP addresses, ports etc. from the source or destination part of a packet. So a concrete example may look like this: iptables -A INPUT -m set --match-set test src,src -j ACCEPT Since ipset management is quite complex, the idea was to leave ipset management outside of libvirt but still allow users to reference an ipset. The user would have to make sure the ipset is available once the VM is started so that the iptables rule(s) referencing the ipset can be created. Using XML to describe an ipset in an nwfilter rule would then look as follows: <rule action='accept' direction='in'> <all ipset='test' ipsetflags='src,src'/> </rule> The two parameters on the command line are also the two distinct XML attributes 'ipset' and 'ipsetflags'. FYI: Here is the man page for ipset: https://ipset.netfilter.org/ipset.man.html Regards, Stefan
-
- 14 5月, 2012 1 次提交
-
-
由 William Jon McCann 提交于
As defined in: http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html This offers a number of advantages: * Allows sharing a home directory between different machines, or sessions (eg. using NFS) * Cleanly separates cache, runtime (eg. sockets), or app data from user settings * Supports performing smart or selective migration of settings between different OS versions * Supports reseting settings without breaking things * Makes it possible to clear cache data to make room when the disk is filling up * Allows us to write a robust and efficient backup solution * Allows an admin flexibility to change where data and settings are stored * Dramatically reduces the complexity and incoherence of the system for administrators
-
- 27 4月, 2012 1 次提交
-
-
由 Stefan Berger 提交于
This patch addresses the following coverity findings: /libvirt/src/conf/nwfilter_params.c:157: deref_parm: Directly dereferencing parameter "val". /libvirt/src/conf/nwfilter_params.c:473: negative_returns: Using variable "iterIndex" as an index to array "res->iter". /libvirt/src/nwfilter/nwfilter_ebiptables_driver.c:2891: unchecked_value: No check of the return value of "virAsprintf(&protostr, "-d 01:80:c2:00:00:00 ")". /libvirt/src/nwfilter/nwfilter_ebiptables_driver.c:2894: unchecked_value: No check of the return value of "virAsprintf(&protostr, "-p 0x%04x ", l3_protocols[protoidx].attr)". /libvirt/src/nwfilter/nwfilter_ebiptables_driver.c:3590: var_deref_op: Dereferencing null variable "inst".
-
- 19 4月, 2012 1 次提交
-
-
由 Stefan Berger 提交于
Fix the support for trusted DHCP server in the ebtables code's hard-coded function applying DHCP only filtering rules: Rather than using a char * use the more flexible virNWFilterVarValuePtr that contains the trusted DHCP server(s) IP address. Process all entries. Since all callers so far provided NULL as parameter, no changes are necessary in any other code.
-
- 27 3月, 2012 1 次提交
-
-
由 Martin Kletzander 提交于
Return statements with parameter enclosed in parentheses were modified and parentheses were removed. The whole change was scripted, here is how: List of files was obtained using this command: git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' | \ grep -e '\.[ch]$' -e '\.py$' Found files were modified with this command: sed -i -e \ 's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \ -e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_' Then checked for nonsense. The whole command looks like this: git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' | \ grep -e '\.[ch]$' -e '\.py$' | xargs sed -i -e \ 's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \ -e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
-
- 17 2月, 2012 1 次提交
-
-
由 Stefan Berger 提交于
Improve the logging during driver initialization when testing the command line tools.
-
- 28 1月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Rename virFormatMacAddr, virGenerateMacAddr and virParseMacAddr to virMacAddrFormat, virMacAddrGenerate and virMacAddrParse respectively
-
- 27 1月, 2012 1 次提交
-
-
由 Stefan Berger 提交于
Introduce a function that rebuilds all running VMs' filters. Call this function when reloading the nwfilter driver. This addresses a problem introduced by the 2nd patch that typically causes no filters to be reinstantiate anymore upon driver reload since their XML has not changed. Yet the current behavior is that upon a SIGHUP all filters get reinstantiated.
-
- 11 1月, 2012 2 次提交
-
-
由 Stefan Berger 提交于
Address side effect of accessing a variable via an index: Filters accessing a variable where an element is accessed that is beyond the size of the list (for example $TEST[10] and only 2 elements are available) cannot instantiate that filter. Test for this and report proper error to user.
-
由 Stefan Berger 提交于
This patch introduces the capability to use a different iterator per variable. The currently supported notation of variables in a filtering rule like <rule action='accept' direction='out'> <tcp srcipaddr='$A' srcportstart='$B'/> </rule> processes the two lists 'A' and 'B' in parallel. This means that A and B must have the same number of 'N' elements and that 'N' rules will be instantiated (assuming all tuples from A and B are unique). In this patch we now introduce the assignment of variables to different iterators. Therefore a rule like <rule action='accept' direction='out'> <tcp srcipaddr='$A[@1]' srcportstart='$B[@2]'/> </rule> will now create every combination of elements in A with elements in B since A has been assigned to an iterator with Id '1' and B has been assigned to an iterator with Id '2', thus processing their value independently. The first rule has an equivalent notation of <rule action='accept' direction='out'> <tcp srcipaddr='$A[@0]' srcportstart='$B[@0]'/> </rule>
-
- 21 12月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
Remove the requirement that DHCP messages have to be broadcasted. DHCP requests are most often sent via broadcast but can be directed towards a specific DHCP server. For example 'dhclient' takes '-s <server>' as a command line parameter thus allowing DHCP requests to be sent to a specific DHCP server.
-
- 17 12月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
If only iptables rules are created then two unnecessary ebtables chains are also created. This patch fixes this and prevents these chains from being created. They have been cleaned up properly, though.
-
- 09 12月, 2011 2 次提交
-
-
由 Stefan Berger 提交于
A preparatory patch for DHCP snooping where we want to be able to differentiate between a VM's interface using the tuple of <VM UUID, Interface MAC address>. We assume that MAC addresses could possibly be re-used between different networks (VLANs) thus do not only want to rely on the MAC address to identify an interface. At the current 'final destination' in virNWFilterInstantiate I am leaving the vmuuid parameter as ATTRIBUTE_UNUSED until the DHCP snooping patches arrive. (we may not post the DHCP snooping patches for 0.9.9, though) Mostly this is a pretty trivial patch. On the lowest layers, in lxc_driver and uml_conf, I am passing the virDomainDefPtr around until I am passing only the VM's uuid into the NWFilter calls.
-
由 Stefan Berger 提交于
This patch cleans up return codes in the nwfilter subsystem. Some functions in nwfilter_conf.c (validators and formatters) are keeping their bool return for now and I am converting their return code to true/false. All other functions now have failure return codes of -1 and success of 0. [I searched for all occurences of ' 1;' and checked all 'if ' and adapted where needed. After that I did a grep for 'NWFilter' in the source tree.]
-
- 24 11月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
Remove the virConnectPtr from the nwfilter's internal API calls as far as possible.
-
- 23 11月, 2011 9 次提交
-
-
由 Michal Privoznik 提交于
Latest nwfilter patch ad6c67cf introduced uninitialized return value. This was spotted by 4.6.2 gcc.
-
由 Daniel P. Berrange 提交于
* src/nwfilter/nwfilter_learnipaddr.c: Initialize ret variable
-
由 Stefan Berger 提交于
In preparation of DHCP Snooping and the detection of multiple IP addresses per interface: The hash table that is used to collect the detected IP address of an interface can so far only handle one IP address per interface. With this patch we extend this to allow it to handle a list of IP addresses. Above changes the returned variable type of virNWFilterGetIpAddrForIfname() from char * to virNWFilterVarValuePtr; adapt all existing functions calling this function.
-
由 Stefan Berger 提交于
In preparation for the DHCP Snooping code: Pass an additional parameter into the applyDHCPOnly function of the 'techdriver'.
-
由 Stefan Berger 提交于
Introduce a shell variable 'IBT' to invoke the ip(6)tables command. Tested with libvirt-tck.
-
由 Stefan Berger 提交于
Introduce a shell variable 'EBT' to invoke the ebtables command. Hard-code the used ebtables table to '-t nat'. Tested with libvirt-tck.
-
由 Stefan Berger 提交于
Display the executed command and failure message if a command failed to execute. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
由 Stefan Berger 提交于
This patch adds support for filtering of STP (spanning tree protocol) traffic to the parser and makes us of the ebtables support for STP filtering. This code now enables the filtering of traffic in chains with prefix 'stp'. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
由 Stefan Berger 提交于
With hunks borrowed from one of David Steven's previous patches, we now add the capability of having a 'mac' chain which is useful to filter for multiple valid MAC addresses. Signed-off-by: NDavid L Stevens <dlstevens@us.ibm.com> Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
- 19 11月, 2011 5 次提交
-
-
由 Stefan Berger 提交于
This patch adds support for filtering of VLAN (802.1Q) traffic to the parser and makes us of the ebtables support for VLAN filtering. This code now enables the filtering of traffic in chains with prefix 'vlan'. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
由 Stefan Berger 提交于
This patch extends the NWFilter driver for Linux (ebiptables) to create rules for each member of a previously introduced list. If for example an attribute value (internally) looks like this: IP = [10.0.0.1, 10.0.0.2, 10.0.0.3] then 3 rules will be generated for a rule accessing the variable 'IP', one for each member of the list. The effect of this is that this now allows for filtering for multiple values in one field. This can then be used to support for filtering/allowing of multiple IP addresses per interface. An iterator is introduced that extracts each member of a list and puts it into a hash table which then is passed to the function creating a rule. For the above example the iterator would cause 3 loops. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
由 Stefan Berger 提交于
NWFilters can be provided name-value pairs using the following XML notation: <filterref filter='xyz'> <parameter name='PORT' value='80'/> <parameter name='VAL' value='abc'/> </filterref> The internal representation currently is so that a name is stored as a string and the value as well. This patch now addresses the value part of it and introduces a data structure for storing a value either as a simple value or as an array for later support of lists. This patch adjusts all code that was handling the values in hash tables and makes it use the new data type. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
由 Stefan Berger 提交于
The previous patch extends the priority of filtering rules into negative numbers. We now use this possibility to interleave the jumping into chains with filtering rules to for example create the 'root' table of an interface with the following sequence of rules: Bridge chain: libvirt-I-vnet0, entries: 6, policy: ACCEPT -p IPv4 -j I-vnet0-ipv4 -p ARP -j I-vnet0-arp -p ARP -j ACCEPT -p 0x8035 -j I-vnet0-rarp -p 0x835 -j ACCEPT -j DROP The '-p ARP -j ACCEPT' rule now appears between the jumps. Since the 'arp' chain has been assigned priority -700 and the 'rarp' chain -600, the above ordering can now be achieved with the following rule: <rule action='accept' direction='out' priority='-650'> <mac protocolid='arp'/> </rule> This patch now sorts the commands generating the above shown jumps into chains and interleaves their execution with those for generating rules. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-
由 Stefan Berger 提交于
So far rules' priorities have only been valid in the range [0,1000]. Now I am extending their priority into the range [-1000, 1000] for subsequently being able to sort rules and the access of (jumps into) chains following priorities. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
-