On Wed, Mar 17, 2010 at 10:53:37AM -0400, Stefan Berger wrote: > "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote on 03/17/2010 10:40:36 > AM: > > > > > > On Thu, Mar 11, 2010 at 08:06:04AM -0500, Stefan Berger wrote: > > > Hi! > > > > > > The following set of patches add network filtering (ACL) extensions to > > > libvirt and enable network traffic filtering for VMs using ebtables > and, > > > depending on the networking technology being used (tap, but not > > > macvtap), also iptables. Usage of either is optional and controlled > > > through filters that a VM is referencing. > > > > > > The ebtables-level filtering is based on the XML derived from the CIM > > > network slide 10 (filtering) from the DMTF website > > > (http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf). > > > The XML we derived from this was discussed on the list before. On the > > > ebtables level we currently handle filtering of IPv4 and ARP traffic. > > > > It is planned to cover IPv6 too, either at ebtables or ip6tables > > level ? > > Well, the code should be able to handle it and we at least thought about > it. I am not an IPv6 expert myself ... currently ... yet. :-) > > > > > > > I've not looked at the actual code in detail yet, but the public API, > > virsh commands, XML etc all looks generally good to me. I'll try and > > get you a detailed code review friday/monday once I get through my > > current work items. > > Let me post another series later today with the fixes that I have made > following your reviews and changes I did make myself. > > > > > > One comment about the instantiation of the rules: Since the XML allows > > > to create nearly any possible combination of parameters to ebtables or > > > iptables commands, I haven't used the ebtables or iptables wrappers. > > > Instead, I am writing ebtables/iptables command into a buffer, add > > > command line options to each one of them as described in the rule's > XML, > > > write the buffer into a file and run it as a script. For those > commands > > > that are not allowed to fail I am using the following format to run > > > them: > > > > > > cmd="ebtables <some options>" > > > r=`${cmd}` > > > if [ $? -ne 0 ]; then > > > echo "Failure in command ${cmd}." > > > exit 1 > > > fi > > > > > > cmd="..." > > > [...] > > > > > > If one of the command fails in such a batch, the libvirt code is going > > > pick up the error code '1', tear down anything previously established > > > and report an error back. The actual error message shown above is > > > currently not reported back, but can be later on with some changes to > > > the commands running external programs that need to read the script's > > > stdout. > > > > I understand why you can't use the ebtables/iptables APIs we currently > > have there, but I'm not much of a fan of using the shell script. Isn't > > it just as easy to directly call virRun() with each set of ARGV to be > > exec'd ? > > I hadn't thought about calling that function... I would want to call a > function that can handle something like bash scripts, i.e., multiple > concatenated fragments as those shown above just to be more 'efficient'. Is it really more efficient ? If you need to run 20 ebtables commands, then using bash does 1 fork/exec for bash & bash then does another 20 fork/exec for ebtables. Alternatively just use virRun() for each ebtables command you just still have 20 fork/execs, without using bash. > If virRun() can handle that and $? for example would be treated there as > the return value (which I think is bash-dependent), I'd be happy to call > it as well. I'd think just call virRun once for each ebtables command - virRun gives you back the exit status of the command Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list