[libvirt] [RFC PATCH 5/6] add MAC address based port filtering to qemu

Gerhard Stenzel <gstenzel@xxxxxxxxxxxxxxxxxx> · Fri, 02 Oct 2009 15:48:36 +0200

This patch adds MAC address based port filtering to the qemu driver.

Signed-off-by: Gerhard Stenzel <gerhard.stenzel@xxxxxxxxxx>
---

 src/qemu/qemu.conf     |    3 +++
 src/qemu/qemu_conf.c   |   14 ++++++++++++++
 src/qemu/qemu_conf.h   |    2 ++
 src/qemu/qemu_driver.c |   23 +++++++++++++++++++++++
 4 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 6d6b86a..53c4522 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -152,3 +152,6 @@
 # in a location of  $MOUNTPOINT/libvirt/qemu
 
 # hugetlbfs_mount = "/dev/hugepages"
+
+mac_filter = 1
+
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index ac63570..7a3b1f1 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -318,6 +318,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
          }
      }
 
+    p = virConfGetValue (conf, "mac_filter");
+    CHECK_TYPE ("mac_filter", VIR_CONF_LONG);
+    if (p) driver->macFilter = p->l;
+
     virConfFree (conf);
     return 0;
 }
@@ -1193,6 +1197,16 @@ qemudNetworkIfaceConnect(virConnectPtr conn,
         tapfd = -1;
     }
 
+    if (driver->macFilter) {
+        virNetworkPtr network = virNetworkLookupByName(conn,
+                                                       net->data.network.name);
+        if ((err = virNetworkAllowMacOnPort(network, brname, net->ifname, net->mac))) {
+            virReportSystemError(conn, err,
+                                 _("failed to add ebtables rule to allow MAC address on  '%s'"),
+                                 net->ifname);
+        }
+    }
+
 cleanup:
     VIR_FREE(brname);
 
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index f9a970f..ddcbd8a 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -112,6 +112,8 @@ struct qemud_driver {
     char *hugetlbfs_mount;
     char *hugepage_path;
 
+    unsigned int macFilter : 1;
+
     virCapsPtr caps;
 
     /* An array of callbacks */
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 155e4a3..a95c867 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -239,6 +239,14 @@ qemudAutostartConfigs(struct qemud_driver *driver) {
         }
         virDomainObjUnlock(vm);
     }
+    if (qemu_driver->macFilter) {
+        fprintf(stderr,"%s:%s:%d macFilter=%d\n", __FILE__, __FUNCTION__, __LINE__, qemu_driver->macFilter);
+        if ((errno = virNetworkDisableAllFrames(conn))) {
+            virReportSystemError(conn, errno,
+                                 _("failed to add rule to drop all frames in '%s'"), __FILE__);
+        }
+    }
+
     qemuDriverUnlock(driver);
 
     if (conn)
@@ -2167,8 +2175,23 @@ cleanup:
 static void qemudShutdownVMDaemon(virConnectPtr conn,
                                   struct qemud_driver *driver,
                                   virDomainObjPtr vm) {
+
     int ret;
     int retries = 0;
+    char *brname;
+
+    virDomainNetDefPtr net =  vm->def->nets[0];
+    virNetworkPtr network = virNetworkLookupByName(conn,
+                                                   net->data.network.name);
+    brname = virNetworkGetBridgeName(network);
+
+    if (driver->macFilter) {
+        if ((errno = virNetworkDisallowMacOnPort(network, brname, net->ifname, net->mac))) {
+            virReportSystemError(conn, errno,
+                                 _("failed to add ebtables rule to allow MAC address on  '%s'"),
+                                 net->ifname);
+        }
+    }
 
     if (!virDomainIsActive(vm))
         return;

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




