- 02 8月, 2010 1 次提交
-
-
由 Laine Stump 提交于
This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
-
- 19 7月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
-
- 19 5月, 2010 1 次提交
-
-
由 Jim Meyering 提交于
* src/util/ebtables.c (ebtablesAddRemoveRule): Don't skip va_end(args) on an error path. * src/util/iptables.c (iptablesAddRemoveRule): Identical change.
-
- 07 5月, 2010 1 次提交
-
-
由 Eric Blake 提交于
* configure.ac: Drop sys/wait.h check. * src/libvirt.c (includes): Use header unconditionally. * src/remote/remote_driver.c (includes): Likewise. * src/storage/storage_backend.c (includes): Likewise. * src/util/ebtables.c (includes): Likewise. * src/util/hooks.c (includes): Likewise. * src/util/iptables.c (includes): Likewise. * src/util/util.c (includes): Likewise.
-
- 10 3月, 2010 1 次提交
-
-
由 Eric Blake 提交于
* global: patch created by running: for f in $(git ls-files '*.[ch]') ; do cppi $f > $f.t && mv $f.t $f done
-
- 09 2月, 2010 1 次提交
-
-
由 Matthias Bolte 提交于
It was used for error reporting only.
-
- 10 12月, 2009 2 次提交
-
-
由 Mark McLoughlin 提交于
We don't use this method of reloading rules anymore, so we can just kill the code. This simplifies things a lot because we no longer need to keep a table of the rules we've added. * src/util/iptables.c: kill iptablesReloadRules()
-
由 Mark McLoughlin 提交于
Long ago we tried to use Fedora's lokkit utility in order to register our iptables rules so that 'service iptables restart' would automatically load our rules. There was one fatal flaw - if the user had configured iptables without lokkit, then we would clobber that configuration by running lokkit. We quickly disabled lokkit support, but never removed it. Let's do that now. The 'my virtual network stops working when I restart iptables' still remains. For all the background on this saga, see: https://bugzilla.redhat.com/227011 * src/util/iptables.c: remove lokkit support * configure.in: remove --enable-lokkit * libvirt.spec.in: remove the dirs used only for saving rules for lokkit * src/Makefile.am: ditto * src/libvirt_private.syms, src/network/bridge_driver.c, src/util/iptables.h: remove references to iptablesSaveRules
-
- 20 11月, 2009 1 次提交
-
-
由 Steve Yarmie 提交于
* src/util/iptables.c: `--option ! this` is deprecated in favor of `! --option this` syntax, change the output command accordingly
-
- 06 11月, 2009 1 次提交
-
-
由 Paolo Bonzini 提交于
* src/internal.h (ATTRIBUTE_SENTINEL): New, it's a ggc feature and protected as such * src/util/buf.c (virBufferStrcat): Use it. * src/util/ebtables.c (ebtablesAddRemoveRule): Use it. * src/util/iptables.c (iptableAddRemoveRule: Use it. * src/util/qparams.h (new_qparam_set, append_qparams): Use it. * docs/apibuild.py: avoid breaking the API generator with that new internal keyword macro
-
- 21 9月, 2009 1 次提交
-
-
由 Daniel P. Berrange 提交于
* src/bridge.c, src/bridge.h, src/buf.c, src/buf.h, src/cgroup.c, src/cgroup.h, src/conf.c, src/conf.h, src/event.c, src/event.h, src/hash.c, src/hash.h, src/hostusb.c, src/hostusb.h, src/iptables.c, src/iptables.h, src/logging.c, src/logging.h, src/memory.c, src/memory.h, src/pci.c, src/pci.h, src/qparams.c, src/qparams.h, src/stats_linux.c, src/stats_linux.h, src/threads-pthread.c, src/threads-pthread.h, src/threads-win32.c, src/threads-win32.h, src/threads.c, src/threads.h, src/util.c, src/util.h, src/uuid.c, src/uuid.h, src/virterror.c, src/virterror_internal.h, src/xml.c, src/xml.h: Move all files into src/util/ * daemon/Makefile.am: Add -Isrc/util/ to build flags * src/Makefile.am: Add -Isrc/util/ to build flags and update for moved files * src/libvirt_private.syms: Export cgroup APIs since they're now in util rather than linking directly to drivers * src/xen/xs_internal.c: Disable bogus virEventRemoveHandle call when built under PROXY * proxy/Makefile.am: Update for changed file locations. Remove bogus build of event.c * tools/Makefile.am, tests/Makefile.am: Add -Isrc/util/ to build flags
-
- 08 9月, 2009 1 次提交
-
-
由 Jim Meyering 提交于
* src/iptables.c (iptablesAddRemoveRule): Remove dead store.
-
- 03 3月, 2009 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 06 2月, 2009 1 次提交
-
-
由 Jim Meyering 提交于
* src/iptables.c: Include "virterror_internal.h". Use virStrerror, not strerror. * src/iptables.c (notifyRulesUpdated): Use %s rather than string-concatenation that made sc_unmarked_diagnostics report a false-positive.
-
- 03 2月, 2009 1 次提交
-
-
由 Jim Meyering 提交于
* Makefile.cfg (useless_free_options): Also check for VIR_FREE. * src/iptables.c (iptRulesFree): Remove useless if-before-VIR_FREE. * src/remote_internal.c (remoteAuthSASL): Likewise. * src/test.c (testOpenFromFile): Likewise.
-
- 08 11月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
Avoid a build error when configuring --without-xen --without-qemu. * src/iptables.c [WITH_QEMU]: Don't #ifdef-out. * src/iptables.h [WITH_QEMU]: Don't #ifdef-out. * src/util.c (virRun) [__MINGW32__]: Define a stub that always fails.
-
- 06 11月, 2008 1 次提交
-
-
由 Cole Robinson 提交于
-
- 08 8月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 19 7月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
* src/domain_conf.c (virDomainChrDefParseXML) (virDomainNetDefParseXML): Likewise. * src/iptables.c (iptRuleFree): Likewise. * src/storage_backend.c (virStorageBackendRunProgRegex): Likewise. * src/test.c (testOpenFromFile): Likewise. * src/xmlrpc.c (xmlRpcCallRaw): Likewise.
-
- 06 6月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 15 5月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 11 4月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
Done with these commands: git grep -l Local.variab|xargs \ perl -0x3b -pi -e 's,\n+/\*\n \* vim:(.|\n)*,\n,' git grep -l Local.variab|xargs \ perl -0x3b -pi -e 's,\n+/\*\n \* Local variables:\n(.|\n)*,\n,'
-
- 29 3月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 28 3月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 27 2月, 2008 1 次提交
-
-
由 Richard W.M. Jones 提交于
-
- 23 2月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
Avoid warnings like this: file:nnn:format not a string literal and no format arguments * qemud/qemud.c: Insert a "%s" format argument. * qemud/remote.c: Likewise. * src/iptables.c: Likewise. * src/qemu_driver.c: Likewise. * src/storage_backend.c: Likewise. * src/storage_backend_fs.c: Likewise. * src/storage_backend_iscsi.c Likewise. * src/storage_backend_logical.c: Likewise. * src/storage_conf.c: Likewise. * src/storage_driver.c: Likewise.
-
- 22 2月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
* src/iptables.c (iptRulesSave) [!ENABLE_IPTABLES_LOKKIT]: Mark parameter as used.
-
- 08 2月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
* po/POTFILES.in: Add names of many new files. * Makefile.maint (err_func_re): Add qemudLog. Mark diagnostics with _(...). Split some long lines. * qemud/qemud.c (remoteCheckCertFile, remoteInitializeGnuTLS): (qemudDispatchSignalEvent, qemudSetCloseExec, qemudSetNonBlock): (qemudWritePidFile, qemudListenUnix, remoteMakeSockets): (remoteListenTCP, qemudInitPaths, qemudInitialize): (qemudNetworkInit, remoteInitializeTLSSession, remoteCheckDN): (remoteCheckCertificate, remoteCheckAccess, qemudDispatchServer): (qemudClientReadBuf, qemudDispatchClientRead): (qemudClientWriteBuf, qemudDispatchClientWrite, qemudOneLoop): (remoteConfigGetStringList, checkType, GET_CONF_STR): (remoteConfigGetAuth, remoteReadConfigFile, main): * qemud/remote.c (remoteDispatchAuthSaslInit, remoteSASLCheckSSF): (remoteSASLCheckAccess, remoteDispatchAuthSaslStart): (remoteDispatchAuthSaslStep, remoteDispatchAuthSaslInit): (remoteDispatchAuthSaslStart, remoteDispatchAuthSaslStep): (qemudGetSocketIdentity, remoteDispatchAuthPolkit): * src/iptables.c (notifyRulesUpdated, MAX_FILE_LEN, iptRulesSave): (iptRulesReload): * src/qemu_conf.c (qemudExtractVersionInfo, qemudLoadConfig): (qemudLoadNetworkConfig, qemudScanConfigDir): * src/qemu_driver.c (qemudSetCloseExec, qemudSetNonBlock): (qemudAutostartConfigs, qemudStartup, qemudReload): (qemudWaitForMonitor, qemudStartVMDaemon, qemudVMData): (qemudShutdownVMDaemon, qemudStartNetworkDaemon): (qemudShutdownNetworkDaemon, qemudMonitorCommand): (qemudDomainUndefine, qemudNetworkUndefine): * src/uuid.c (virUUIDGenerate): * src/xm_internal.c (xenXMAttachInterface):
-
- 07 2月, 2008 1 次提交
-
-
由 Mark McLoughlin 提交于
-
- 06 2月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
* Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank. * .x-sc_trailing_blank: New file, to exempt the few binary files.
-
- 30 1月, 2008 2 次提交
-
-
由 Jim Meyering 提交于
Use <config.h>, not "config.h", per autoconf documentation. * Makefile.cfg (local-checks-to-skip) [sc_require_config_h]: Enable. * .x-sc_require_config_h: New file, to list exempted files. * Makefile.am (EXTRA_DIST): Add .x-sc_require_config_h.
-
由 Jim Meyering 提交于
Likewise, given if (foo != NULL) free (foo); remove the useless "if" test. * proxy/libvirt_proxy.c: Remove unnecessary "if" test before free. * python/generator.py: Likewise. * qemud/qemud.c: Likewise. * src/buf.c: Likewise. * src/conf.c: Likewise. * src/hash.c: Likewise. * src/iptables.c: Likewise. * src/libvirt.c: Likewise. * src/openvz_conf.c: Likewise. * src/qemu_conf.c: Likewise. * src/qemu_driver.c: Likewise. * src/remote_internal.c: Likewise. * src/test.c: Likewise. * src/virsh.c: Likewise. * src/virterror.c: Likewise. * src/xen_internal.c: Likewise. * src/xen_unified.c: Likewise. * src/xend_internal.c: Likewise. * src/xm_internal.c: Likewise. * src/xml.c: Likewise. * src/xmlrpc.c: Likewise. * src/xs_internal.c: Likewise. * tests/testutils.c: Likewise. * tests/xencapstest.c: Likewise. * tests/xmconfigtest.c: Likewise.
-
- 10 1月, 2008 8 次提交
-
-
由 Mark McLoughlin 提交于
-
由 Mark McLoughlin 提交于
and run lokkit each time a new rule is added.
-
由 Mark McLoughlin 提交于
need to add or delete them
-
由 Mark McLoughlin 提交于
longer useful, so let's remove it.
-
由 Mark McLoughlin 提交于
a proposed system for letting iptables know how to reload our rules. The proposed system wasn't accepted so, although there might be some other theoretical use for this, let's just remove it.
-
由 Mark McLoughlin 提交于
iptables configuration using the lokkit --custom-rules command. Basically, we write out our rules to /var/lib/libvirt/iptables and run lokkit --custom-rules so that if e.g. iptables is restarted or the user edits their firewall configuration, then libvirt's rules get reloaded.
-
由 Mark McLoughlin 提交于
-
由 Mark McLoughlin 提交于
-