The Xen libxl driver does not support nwfilter. Introduce a deviceValidateCallback function with a check for nwfilters, returning VIR_ERR_CONFIG_UNSUPPORTED if any are found. Also fail to start any existing VMs referencing nwfilters. Drivers generally ignore unrecognized XML configuration, but ignoring a user's request to filter VM network traffic can be viewed as a security issue. Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> --- This is a V2 of patch2 from this series https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/QDRDSKDLL5GZVXDSIJO5R32Q5F4AFZLR/ I've pushed patch1. Personally I'm fine leaving it at that, but I made it this far so might as well give patch2 another attempt :-). There's still the open question whether the same should be done for the other hypervisor drivers that do not support nwfilters. Changes in V2: Use deviceValidateCallback instead of devicesPostParseCallback Reject use of nwfilters at VM start src/libxl/libxl_conf.c | 7 +++++++ src/libxl/libxl_domain.c | 18 ++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 62e1be6672..bf5d925a20 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -1279,6 +1279,13 @@ libxlMakeNic(virDomainDef *def, * x_nics[i].mtu = 1492; */ + if (l_nic->filter) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported in %1$s"), + virDomainVirtTypeToString(def->virtType)); + return -1; + } + if (l_nic->script && !(actual_type == VIR_DOMAIN_NET_TYPE_BRIDGE || actual_type == VIR_DOMAIN_NET_TYPE_ETHERNET)) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c index 0f129ec69c..d400f32627 100644 --- a/src/libxl/libxl_domain.c +++ b/src/libxl/libxl_domain.c @@ -356,12 +356,30 @@ libxlDomainDefValidate(const virDomainDef *def, return 0; } +static int +libxlDomainDeviceDefValidate(const virDomainDeviceDef *dev, + const virDomainDef *def, + void *opaque G_GNUC_UNUSED, + void *parseOpaque G_GNUC_UNUSED) +{ + if (dev->type == VIR_DOMAIN_DEVICE_NET && dev->data.net->filter) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported in %1$s"), + virDomainVirtTypeToString(def->virtType)); + return -1; + } + + return 0; +} + + virDomainDefParserConfig libxlDomainDefParserConfig = { .macPrefix = { 0x00, 0x16, 0x3e }, .netPrefix = LIBXL_GENERATED_PREFIX_XEN, .devicesPostParseCallback = libxlDomainDeviceDefPostParse, .domainPostParseCallback = libxlDomainDefPostParse, .domainValidateCallback = libxlDomainDefValidate, + .deviceValidateCallback = libxlDomainDeviceDefValidate, .features = VIR_DOMAIN_DEF_FEATURE_USER_ALIAS | VIR_DOMAIN_DEF_FEATURE_FW_AUTOSELECT | -- 2.35.3
