[libvirt] [PATCH 11/13] Add qemu support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Add support for Qemu to have firewall rules applied and removed on VM
startup and shutdown respectively. This  patch also provides support for
the updating of a filter that causes all VMs that reference the filter
to have their ebtables/iptables rules updated.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>






---
 src/qemu/qemu_conf.c   |   37 +++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_conf.h   |    2 ++
 src/qemu/qemu_driver.c |   29 +++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)

Index: libvirt-acl/src/qemu/qemu_conf.c
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_conf.c
+++ libvirt-acl/src/qemu/qemu_conf.c
@@ -54,6 +54,7 @@
 #include "network.h"
 #include "macvtap.h"
 #include "cpu/cpu.h"
+#include "nwfilter/nwfilter_gentech_driver.h"
 
 #define VIR_FROM_THIS VIR_FROM_QEMU
 
@@ -346,6 +347,14 @@ int qemudLoadDriverConfig(struct qemud_d
         }
     }
 
+    p = virConfGetValue (conf, "nwFilter");
+    CHECK_TYPE ("nwFilter", VIR_CONF_LONG);
+    if (p && p->l) {
+        driver->nwFilter = p->l;
+    }
+    // FIXME: Remove this
+    driver->nwFilter = 1;
+
     p = virConfGetValue (conf, "relaxed_acs_check");
     CHECK_TYPE ("relaxed_acs_check", VIR_CONF_LONG);
     if (p) driver->relaxedACS = p->l;
@@ -1468,6 +1477,17 @@ qemudPhysIfaceConnect(virConnectPtr conn
                                  net->ifname);
         }
     }
+
+    if (rc >= 0 && driver->nwFilter) {
+        if ((net->filter) && (net->ifname)) {
+            err = virNWFilterInstantiateFilter(conn, net);
+            if (err) {
+                close(rc);
+                rc = -1;
+                delMacvtap(net->ifname);
+            }
+        }
+    }
 #else
     (void)conn;
     (void)net;
@@ -1590,6 +1610,16 @@ qemudNetworkIfaceConnect(virConnectPtr c
         }
     }
 
+    if (tapfd >= 0 && driver->nwFilter) {
+        if ((net->filter) && (net->ifname)) {
+            err = virNWFilterInstantiateFilter(conn, net);
+            if (err) {
+                close(tapfd);
+                tapfd = -1;
+            }
+        }
+    }
+
 cleanup:
     VIR_FREE(brname);
 
@@ -3268,6 +3298,7 @@ int qemudBuildCommandLine(virConnectPtr 
     char domid[50];
     char *cpu;
     char *smp;
+    int last_good_net = -1;
 
     uname_normalize(&ut);
 
@@ -3903,6 +3934,7 @@ int qemudBuildCommandLine(virConnectPtr 
                     goto error;
                 ADD_ARG(host);
             }
+            last_good_net = i;
         }
     }
 
@@ -4363,6 +4395,11 @@ int qemudBuildCommandLine(virConnectPtr 
             VIR_FREE((qenv)[i]);
         VIR_FREE(qenv);
     }
+    for (i = 0; i <= last_good_net; i++) {
+        virDomainNetDefPtr net = def->nets[i];
+        if ((net->filter) && (net->ifname))
+            virNWFilterTeardownFilter(net);
+    }
     return -1;
 
 #undef ADD_ARG
Index: libvirt-acl/src/qemu/qemu_conf.h
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_conf.h
+++ libvirt-acl/src/qemu/qemu_conf.h
@@ -128,6 +128,8 @@ struct qemud_driver {
     unsigned int macFilter : 1;
     ebtablesContext *ebtables;
 
+    unsigned int nwFilter : 1;
+
     unsigned int relaxedACS : 1;
 
     virCapsPtr caps;
Index: libvirt-acl/src/qemu/qemu_driver.c
===================================================================
--- libvirt-acl.orig/src/qemu/qemu_driver.c
+++ libvirt-acl/src/qemu/qemu_driver.c
@@ -83,6 +83,7 @@
 #include "xml.h"
 #include "cpu/cpu.h"
 #include "macvtap.h"
+#include "nwfilter/nwfilter_gentech_driver.h"
 
 
 #define VIR_FROM_THIS VIR_FROM_QEMU
@@ -2994,6 +2995,15 @@ static void qemudShutdownVMDaemon(struct
      * reporting so we don't squash a legit error. */
     orig_err = virSaveLastError();
 
+    if (driver->nwFilter) {
+        def = vm->def;
+        for (i = 0 ; i < def->nnets ; i++) {
+            virDomainNetDefPtr net = def->nets[i];
+            if ((net->filter) && (net->ifname))
+                virNWFilterTeardownFilter(net);
+        }
+    }
+
     if (driver->macFilter) {
         def = vm->def;
         for (i = 0 ; i < def->nnets ; i++) {
@@ -6979,6 +6989,9 @@ qemudDomainDetachNetDevice(struct qemud_
         }
     }
 
+    if ((driver->nwFilter) && (detach->ifname) && (detach->filter))
+        virNWFilterTeardownFilter(detach);
+
     if (vm->def->nnets > 1) {
         memmove(vm->def->nets + i,
                 vm->def->nets + i + 1,
@@ -9571,8 +9584,24 @@ static virStateDriver qemuStateDriver = 
     .active = qemudActive,
 };
 
+static int
+qemudVMFilterRebuild(virConnectPtr conn,
+                     virHashIterator iter, void *data)
+{
+    (void)conn;
+    virHashForEach(qemu_driver->domains.objs, iter, data);
+    return 0;
+}
+
+
+static virNWFilterCallbackDriver qemuCallbackDriver = {
+    .name = "QEMU",
+    .vmFilterRebuild = qemudVMFilterRebuild,
+};
+
 int qemuRegister(void) {
     virRegisterDriver(&qemuDriver);
     virRegisterStateDriver(&qemuStateDriver);
+    virNWFilterRegisterCallbackDriver(&qemuCallbackDriver);
     return 0;
 }

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]