Re: [PATCH] Add support for network filter code in LXC driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jun 07, 2011 at 09:51:56AM -0400, Stefan Berger wrote:
> "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote on 06/07/2011 09:36:22 
> AM:
> 
> 
> > 
> > The LXC driver networking uses veth device pairs. These can
> > be easily hooked into the network filtering code.
> > 
> > * src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter
> > ---
> >  src/lxc/lxc_driver.c |   12 ++++++++++--
> >  1 files changed, 10 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> > index 8eb87a2..4d14466 100644
> > --- a/src/lxc/lxc_driver.c
> > +++ b/src/lxc/lxc_driver.c
> > @@ -52,7 +52,7 @@
> >  #include "hooks.h"
> >  #include "files.h"
> >  #include "fdstream.h"
> > -
> > +#include "domain_nwfilter.h"
> > 
> >  #define VIR_FROM_THIS VIR_FROM_LXC
> > 
> > @@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,
> >          vethDelete(vm->def->nets[i]->ifname);
> >      }
> > 
> > +    virDomainConfVMNWFilterTeardown(vm);
> > +
> >      if (driver->cgroup &&
> >          virCgroupForDomain(driver->cgroup, vm->def->name, &cgroup, 0) 
> == 0) {
> >          virCgroupRemove(cgroup);
> > @@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr conn,
> > 
> >          if (vethInterfaceUpOrDown(parentVeth, 1) < 0)
> >              goto error_exit;
> > +
> > +        if (def->nets[i]->filter &&
> > +            virDomainConfNWFilterInstantiate(conn, def->nets[i]) < 0)
> > +            goto error_exit;
> >      }
> > 
> >      rc = 0;
> > @@ -1538,8 +1544,10 @@ cleanup:
> >              vethDelete(veths[i]);
> >          VIR_FREE(veths[i]);
> >      }
> > -    if (rc != 0)
> > +    if (rc != 0) {
> >          VIR_FORCE_CLOSE(priv->monitor);
> > +        virDomainConfVMNWFilterTeardown(vm);
> > +    }
> >      VIR_FORCE_CLOSE(parentTty);
> >      VIR_FREE(logfile);
> >      return rc;
> > -- 
> > 1.7.4.4
> > 
> 
> I would have thought a bit more code to be necessary, especially for 
> supporting the live filter updates. At least something along the lines 
> that the UML support shows:

Opps, I knew there was something I was forgetting. I've sent
an v2 patch with this hooked up too.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]