Re: [PATCH v2] Add support for network filter code in LXC driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/14/2011 10:46 AM, Daniel P. Berrange wrote:

The LXC driver networking uses veth device pairs. These can
be easily hooked into the network filtering code.

* src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter

New in v2:

  - Add missing hooks for automatic rebuild of filters for
    online guests

---
  src/lxc/lxc_driver.c |   40 ++++++++++++++++++++++++++++++++++++++--
  1 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 9ef75f5..e8ad3f0 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -52,7 +52,7 @@
  #include "hooks.h"
  #include "files.h"
  #include "fdstream.h"
-
+#include "domain_nwfilter.h"

  #define VIR_FROM_THIS VIR_FROM_LXC

@@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,
          vethDelete(vm->def->nets[i]->ifname);
      }

+    virDomainConfVMNWFilterTeardown(vm);
+
      if (driver->cgroup&&
          virCgroupForDomain(driver->cgroup, vm->def->name,&cgroup, 0) == 0) {
          virCgroupRemove(cgroup);
@@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr conn,

          if (vethInterfaceUpOrDown(parentVeth, 1)<  0)
              goto error_exit;
+
+        if (def->nets[i]->filter&&
+            virDomainConfNWFilterInstantiate(conn, def->nets[i])<  0)
+            goto error_exit;
      }

      rc = 0;
@@ -1642,8 +1648,10 @@ cleanup:
              vethDelete(veths[i]);
          VIR_FREE(veths[i]);
      }
-    if (rc != 0)
+    if (rc != 0) {
          VIR_FORCE_CLOSE(priv->monitor);
+        virDomainConfVMNWFilterTeardown(vm);
+    }
      VIR_FORCE_CLOSE(parentTty);
      VIR_FORCE_CLOSE(handshakefds[0]);
      VIR_FORCE_CLOSE(handshakefds[1]);
@@ -2842,6 +2850,33 @@ cleanup:
      return ret;
  }

+static int
+lxcVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
+                   virHashIterator iter, void *data)
+{
+    virHashForEach(lxc_driver->domains.objs, iter, data);
+
+    return 0;
+}
+
+static void
+lxcVMDriverLock(void)
+{
+    lxcDriverLock(lxc_driver);
+}
+
+static void
+lxcVMDriverUnlock(void)
+{
+    lxcDriverUnlock(lxc_driver);
+}
+
+static virNWFilterCallbackDriver lxcCallbackDriver = {
+    .name = "LXC",
+    .vmFilterRebuild = lxcVMFilterRebuild,
+    .vmDriverLock = lxcVMDriverLock,
+    .vmDriverUnlock = lxcVMDriverUnlock,
+};

  /* Function Tables */
  static virDriver lxcDriver = {
@@ -2911,5 +2946,6 @@ int lxcRegister(void)
  {
      virRegisterDriver(&lxcDriver);
      virRegisterStateDriver(&lxcStateDriver);
+    virNWFilterRegisterCallbackDriver(&lxcCallbackDriver);
      return 0;
  }

ACK.
Looks good. Unfortunately I cannot test it since I don't have LXC on any of my machines... 

   Stefan

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]