From: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887 Add a netmask for the source and destination IP address for the ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML parser with support for XML attributes for these netmasks similar to already supported netmasks. Extend the documentation. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> --- docs/formatnwfilter.html.in | 10 ++++++++++ src/conf/nwfilter_conf.c | 12 ++++++++++++ src/conf/nwfilter_conf.h | 2 ++ src/nwfilter/nwfilter_ebiptables_driver.c | 28 ++++++++++++++++++++++++---- 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 5c06bf2..fb3a326 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -990,11 +990,21 @@ <td>Source IP address in ARP/RARP packet</td> </tr> <tr> + <td>arpsrcipmask <span class="since">(Since 1.2.3)</span></td> + <td>IP_MASK</td> + <td>Source IP mask</td> + </tr> + <tr> <td>arpdstipaddr</td> <td>IP_ADDR</td> <td>Destination IP address in ARP/RARP packet</td> </tr> <tr> + <td>arpdstipmask <span class="since">(Since 1.2.3)</span></td> + <td>IP_MASK</td> + <td>Destination IP mask</td> + </tr> + <tr> <td>comment <span class="since">(Since 0.8.5)</span></td> <td>STRING</td> <td>text with max. 256 characters</td> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index d25e0cc..73e668f 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -173,7 +173,9 @@ static const char dstmacmask_str[] = "dstmacmask"; static const char arpsrcmacaddr_str[] = "arpsrcmacaddr"; static const char arpdstmacaddr_str[] = "arpdstmacaddr"; static const char arpsrcipaddr_str[] = "arpsrcipaddr"; +static const char arpsrcipmask_str[] = "arpsrcipmask"; static const char arpdstipaddr_str[] = "arpdstipaddr"; +static const char arpdstipmask_str[] = "arpdstipmask"; static const char srcipaddr_str[] = "srcipaddr"; static const char srcipmask_str[] = "srcipmask"; static const char dstipaddr_str[] = "dstipaddr"; @@ -198,7 +200,9 @@ static const char ipsetflags_str[] = "ipsetflags"; #define ARPSRCMACADDR arpsrcmacaddr_str #define ARPDSTMACADDR arpdstmacaddr_str #define ARPSRCIPADDR arpsrcipaddr_str +#define ARPSRCIPMASK arpsrcipmask_str #define ARPDSTIPADDR arpdstipaddr_str +#define ARPDSTIPMASK arpdstipmask_str #define SRCIPADDR srcipaddr_str #define SRCIPMASK srcipmask_str #define DSTIPADDR dstipaddr_str @@ -1302,10 +1306,18 @@ static const virXMLAttr2Struct arpAttributes[] = { .datatype = DATATYPE_IPADDR, .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPAddr), }, { + .name = ARPSRCIPMASK, + .datatype = DATATYPE_IPMASK, + .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPMask), + }, { .name = ARPDSTIPADDR, .datatype = DATATYPE_IPADDR, .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr), }, { + .name = ARPDSTIPMASK, + .datatype = DATATYPE_IPMASK, + .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPMask), + }, { .name = "gratuitous", .datatype = DATATYPE_BOOLEAN, .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataGratuitousARP), diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index 8c59330..071343e 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -209,8 +209,10 @@ struct _arpHdrFilterDef { nwItemDesc dataOpcode; nwItemDesc dataARPSrcMACAddr; nwItemDesc dataARPSrcIPAddr; + nwItemDesc dataARPSrcIPMask; nwItemDesc dataARPDstMACAddr; nwItemDesc dataARPDstIPAddr; + nwItemDesc dataARPDstIPMask; nwItemDesc dataGratuitousARP; nwItemDesc dataComment; }; diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index bea9535..a4b38e7 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2059,6 +2059,7 @@ ebtablesCreateRuleInstance(char chainPrefix, { char macaddr[VIR_MAC_STRING_BUFLEN], ipaddr[INET_ADDRSTRLEN], + ipmask[INET_ADDRSTRLEN], ipv6addr[INET6_ADDRSTRLEN], number[MAX(INT_BUFSIZE_BOUND(uint32_t), INT_BUFSIZE_BOUND(int))], @@ -2066,6 +2067,7 @@ ebtablesCreateRuleInstance(char chainPrefix, char chain[MAX_CHAINNAME_LENGTH]; virBuffer buf = VIR_BUFFER_INITIALIZER; const char *target; + bool hasMask; if (!ebtables_cmd_path) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -2269,11 +2271,20 @@ ebtablesCreateRuleInstance(char chainPrefix, &rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0) goto err_exit; + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) { + if (printDataType(vars, + ipmask, sizeof(ipmask), + &rule->p.arpHdrFilter.dataARPSrcIPMask) < 0) + goto err_exit; + hasMask = true; + } + virBufferAsprintf(&buf, - " %s %s %s", + " %s %s %s/%s", reverse ? "--arp-ip-dst" : "--arp-ip-src", ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr), - ipaddr); + ipaddr, + hasMask ? ipmask : "32"); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) { @@ -2282,11 +2293,20 @@ ebtablesCreateRuleInstance(char chainPrefix, &rule->p.arpHdrFilter.dataARPDstIPAddr) < 0) goto err_exit; + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) { + if (printDataType(vars, + ipmask, sizeof(ipmask), + &rule->p.arpHdrFilter.dataARPDstIPMask) < 0) + goto err_exit; + hasMask = true; + } + virBufferAsprintf(&buf, - " %s %s %s", + " %s %s %s/%s", reverse ? "--arp-ip-src" : "--arp-ip-dst", ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr), - ipaddr); + ipaddr, + hasMask ? ipmask : "32"); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) { -- 1.8.1.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list