v1: https://www.redhat.com/archives/libvir-list/2018-April/msg02616.html Today the nwfilter driver is entangled with the virt drivers in both directions. At various times when rebuilding filters nwfilter will call out to the virt driver to iterate over running guest's NICs. This has caused very complicated lock ordering rules to be required. If we are to split the virt drivers out into separate daemons we need to get rid of this coupling since we don't want the separate daemons calling each other, as that risks deadlock if all of the RPC workers are busy. The obvious way to solve this is to have the nwfilter driver remember all the filters it has active, avoiding the need to iterate over running guests. Easy parts of the v1 posting have already been merged. This v2 is much more complete, though still not entirely ready for merge. - The virNWFilterBindingPtr was renamed virNWFilterBindingDefPtr - New virNWFilterBindingObjPtr & virNWFilterBindingObjListPtr structs added to track the objects in the driver - New virNWFilterBindingPtr public API type was added - New public APIs for listing filter bindings, querying XML, and creating/deleting them - Convert the virt drivers to use the public API for creating and deleting bindings - Persistent active bindings out to disk so they're preserved across restarts - Added RNG schema and XML-2-XML test - New virsh commands for listing/querying XML/creating/deleting bindings Still todo - Document the new XML format - Run the nwfilter stress tests to see what I've undoubtably broken - Think about recording the NIC index in the virNWFilterBindingObjPtr and persisting across restarts, so we can track if the NIC we had previously used was deleted & recreated - in which case we can drop the stale binding. - Probably something else... Daniel P. Berrangé (21): util: fix misleading command for virObjectLock conf: change virNWFilterBindingPtr to virNWFilterBindingDefPtr conf: add missing virxml.h include for nwfilter_params.h conf: move virNWFilterBindingDefPtr into its own files conf: add support for parsing/formatting virNWFilterBindingDefPtr schemas: add schema for nwfilter binding XML document nwfilter: export port binding concept in the public API access: add nwfilter binding object permissions remote: add support for nwfilter binding objects virsh: add nwfilter binding commands nwfilter: convert the gentech driver code to use virNWFilterBindingDefPtr nwfilter: convert IP address learning code to virNWFilterBindingDefPtr nwfilter: convert DHCP address snooping code to virNWFilterBindingDefPtr conf: report an error if nic needs filtering by no driver is present conf: introduce a virNWFilterBindingObjPtr struct conf: introduce a virNWFilterBindingObjListPtr struct nwfilter: keep track of active filter bindings nwfilter: remove virt driver callback layer for rebuilding filters nwfilter: wire up new APIs for listing and querying filter bindings nwfilter: wire up new APIs for creating and deleting nwfilter bindings nwfilter: convert virt drivers to use public API for nwfilter bindings docs/schemas/domaincommon.rng | 27 +- docs/schemas/nwfilter.rng | 29 +- docs/schemas/nwfilter_params.rng | 32 ++ docs/schemas/nwfilterbinding.rng | 49 ++ include/libvirt/libvirt-nwfilter.h | 39 ++ include/libvirt/virterror.h | 2 + src/access/viraccessdriver.h | 5 + src/access/viraccessdrivernop.c | 10 + src/access/viraccessdriverpolkit.c | 21 + src/access/viraccessdriverstack.c | 24 + src/access/viraccessmanager.c | 15 + src/access/viraccessmanager.h | 5 + src/access/viraccessperm.c | 7 +- src/access/viraccessperm.h | 39 ++ src/conf/Makefile.inc.am | 6 + src/conf/domain_nwfilter.c | 125 ++++- src/conf/domain_nwfilter.h | 13 - src/conf/nwfilter_conf.c | 223 ++------ src/conf/nwfilter_conf.h | 68 +-- src/conf/nwfilter_params.h | 1 + src/conf/virnwfilterbindingdef.c | 279 ++++++++++ src/conf/virnwfilterbindingdef.h | 65 +++ src/conf/virnwfilterbindingobj.c | 260 ++++++++++ src/conf/virnwfilterbindingobj.h | 60 +++ src/conf/virnwfilterbindingobjlist.c | 475 ++++++++++++++++++ src/conf/virnwfilterbindingobjlist.h | 66 +++ src/conf/virnwfilterobj.c | 4 +- src/conf/virnwfilterobj.h | 4 + src/datatypes.c | 67 +++ src/datatypes.h | 31 ++ src/driver-nwfilter.h | 30 ++ src/libvirt-nwfilter.c | 305 +++++++++++ src/libvirt_private.syms | 42 +- src/libvirt_public.syms | 13 + src/lxc/lxc_driver.c | 28 -- src/nwfilter/nwfilter_dhcpsnoop.c | 151 +++--- src/nwfilter/nwfilter_dhcpsnoop.h | 7 +- src/nwfilter/nwfilter_driver.c | 211 ++++++-- src/nwfilter/nwfilter_gentech_driver.c | 307 +++++------ src/nwfilter/nwfilter_gentech_driver.h | 22 +- src/nwfilter/nwfilter_learnipaddr.c | 98 ++-- src/nwfilter/nwfilter_learnipaddr.h | 7 +- src/qemu/qemu_driver.c | 25 - src/remote/remote_daemon_dispatch.c | 15 + src/remote/remote_driver.c | 20 + src/remote/remote_protocol.x | 90 +++- src/remote_protocol-structs | 43 ++ src/rpc/gendispatch.pl | 15 +- src/uml/uml_driver.c | 29 -- src/util/virerror.c | 12 + src/util/virobject.c | 2 +- tests/Makefile.am | 7 + .../filter-vars.xml | 11 + .../virnwfilterbindingxml2xmldata/simple.xml | 9 + tests/virnwfilterbindingxml2xmltest.c | 113 +++++ tests/virschematest.c | 1 + tools/virsh-completer.c | 45 ++ tools/virsh-completer.h | 4 + tools/virsh-nwfilter.c | 318 ++++++++++++ tools/virsh-nwfilter.h | 8 + 60 files changed, 3247 insertions(+), 792 deletions(-) create mode 100644 docs/schemas/nwfilter_params.rng create mode 100644 docs/schemas/nwfilterbinding.rng create mode 100644 src/conf/virnwfilterbindingdef.c create mode 100644 src/conf/virnwfilterbindingdef.h create mode 100644 src/conf/virnwfilterbindingobj.c create mode 100644 src/conf/virnwfilterbindingobj.h create mode 100644 src/conf/virnwfilterbindingobjlist.c create mode 100644 src/conf/virnwfilterbindingobjlist.h create mode 100644 tests/virnwfilterbindingxml2xmldata/filter-vars.xml create mode 100644 tests/virnwfilterbindingxml2xmldata/simple.xml create mode 100644 tests/virnwfilterbindingxml2xmltest.c -- 2.17.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
