Re: [PATCH] nwfilter: Add ARP src/dst IP mask for ebtables ARP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/12/2014 05:10 AM, Stefan Berger wrote:
> From: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887
>
> Add a netmask for the source and destination IP address for the
> ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML
> parser with support for XML attributes for these netmasks similar
> to already supported netmasks. Extend the documentation.
>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
> ---
>  docs/formatnwfilter.html.in               | 10 ++++++++++
>  src/conf/nwfilter_conf.c                  | 12 ++++++++++++
>  src/conf/nwfilter_conf.h                  |  2 ++
>  src/nwfilter/nwfilter_ebiptables_driver.c | 28 ++++++++++++++++++++++++----
>  4 files changed, 48 insertions(+), 4 deletions(-)
>
> diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
> index 5c06bf2..fb3a326 100644
> --- a/docs/formatnwfilter.html.in
> +++ b/docs/formatnwfilter.html.in
> @@ -990,11 +990,21 @@
>           <td>Source IP address in ARP/RARP packet</td>
>         </tr>
>         <tr>
> +         <td>arpsrcipmask <span class="since">(Since 1.2.3)</span></td>
> +         <td>IP_MASK</td>
> +         <td>Source IP mask</td>
> +       </tr>
> +       <tr>
>           <td>arpdstipaddr</td>
>           <td>IP_ADDR</td>
>           <td>Destination IP address in ARP/RARP packet</td>
>         </tr>
>         <tr>
> +         <td>arpdstipmask <span class="since">(Since 1.2.3)</span></td>
> +         <td>IP_MASK</td>
> +         <td>Destination IP mask</td>
> +       </tr>
> +       <tr>
>           <td>comment <span class="since">(Since 0.8.5)</span></td>
>           <td>STRING</td>
>           <td>text with max. 256 characters</td>
> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
> index d25e0cc..73e668f 100644
> --- a/src/conf/nwfilter_conf.c
> +++ b/src/conf/nwfilter_conf.c
> @@ -173,7 +173,9 @@ static const char dstmacmask_str[]    = "dstmacmask";
>  static const char arpsrcmacaddr_str[] = "arpsrcmacaddr";
>  static const char arpdstmacaddr_str[] = "arpdstmacaddr";
>  static const char arpsrcipaddr_str[]  = "arpsrcipaddr";
> +static const char arpsrcipmask_str[]  = "arpsrcipmask";
>  static const char arpdstipaddr_str[]  = "arpdstipaddr";
> +static const char arpdstipmask_str[]  = "arpdstipmask";
>  static const char srcipaddr_str[]     = "srcipaddr";
>  static const char srcipmask_str[]     = "srcipmask";
>  static const char dstipaddr_str[]     = "dstipaddr";
> @@ -198,7 +200,9 @@ static const char ipsetflags_str[]    = "ipsetflags";
>  #define ARPSRCMACADDR arpsrcmacaddr_str
>  #define ARPDSTMACADDR arpdstmacaddr_str
>  #define ARPSRCIPADDR  arpsrcipaddr_str
> +#define ARPSRCIPMASK  arpsrcipmask_str
>  #define ARPDSTIPADDR  arpdstipaddr_str
> +#define ARPDSTIPMASK  arpdstipmask_str
>  #define SRCIPADDR     srcipaddr_str
>  #define SRCIPMASK     srcipmask_str
>  #define DSTIPADDR     dstipaddr_str
> @@ -1302,10 +1306,18 @@ static const virXMLAttr2Struct arpAttributes[] = {
>          .datatype = DATATYPE_IPADDR,
>          .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPAddr),
>      }, {
> +        .name = ARPSRCIPMASK,
> +        .datatype = DATATYPE_IPMASK,
> +        .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPMask),
> +    }, {
>          .name = ARPDSTIPADDR,
>          .datatype = DATATYPE_IPADDR,
>          .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr),
>      }, {
> +        .name = ARPDSTIPMASK,
> +        .datatype = DATATYPE_IPMASK,
> +        .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPMask),
> +    }, {
>          .name = "gratuitous",
>          .datatype = DATATYPE_BOOLEAN,
>          .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataGratuitousARP),
> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
> index 8c59330..071343e 100644
> --- a/src/conf/nwfilter_conf.h
> +++ b/src/conf/nwfilter_conf.h
> @@ -209,8 +209,10 @@ struct _arpHdrFilterDef {
>      nwItemDesc dataOpcode;
>      nwItemDesc dataARPSrcMACAddr;
>      nwItemDesc dataARPSrcIPAddr;
> +    nwItemDesc dataARPSrcIPMask;
>      nwItemDesc dataARPDstMACAddr;
>      nwItemDesc dataARPDstIPAddr;
> +    nwItemDesc dataARPDstIPMask;
>      nwItemDesc dataGratuitousARP;
>      nwItemDesc dataComment;
>  };
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
> index bea9535..a4b38e7 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -2059,6 +2059,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
>  {
>      char macaddr[VIR_MAC_STRING_BUFLEN],
>           ipaddr[INET_ADDRSTRLEN],
> +         ipmask[INET_ADDRSTRLEN],
>           ipv6addr[INET6_ADDRSTRLEN],
>           number[MAX(INT_BUFSIZE_BOUND(uint32_t),
>                      INT_BUFSIZE_BOUND(int))],
> @@ -2066,6 +2067,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
>      char chain[MAX_CHAINNAME_LENGTH];
>      virBuffer buf = VIR_BUFFER_INITIALIZER;
>      const char *target;
> +    bool hasMask;
>  
>      if (!ebtables_cmd_path) {
>          virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> @@ -2269,11 +2271,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
>                                &rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0)
>                  goto err_exit;
>  
> +            if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) {
> +                if (printDataType(vars,
> +                                  ipmask, sizeof(ipmask),
> +                                  &rule->p.arpHdrFilter.dataARPSrcIPMask) < 0)
> +                    goto err_exit;
> +                hasMask = true;
> +            }
> +
>              virBufferAsprintf(&buf,
> -                          " %s %s %s",
> +                          " %s %s %s/%s",
>                            reverse ? "--arp-ip-dst" : "--arp-ip-src",
>                            ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr),
> -                          ipaddr);
> +                          ipaddr,
> +                          hasMask ? ipmask : "32");
>          }
>  
>          if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
> @@ -2282,11 +2293,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
>                                &rule->p.arpHdrFilter.dataARPDstIPAddr) < 0)
>                  goto err_exit;
>  
> +            if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) {
> +                if (printDataType(vars,
> +                                  ipmask, sizeof(ipmask),
> +                                  &rule->p.arpHdrFilter.dataARPDstIPMask) < 0)
> +                    goto err_exit;
> +                hasMask = true;
> +            }
> +
>              virBufferAsprintf(&buf,
> -                          " %s %s %s",
> +                          " %s %s %s/%s",
>                            reverse ? "--arp-ip-src" : "--arp-ip-dst",
>                            ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr),
> -                          ipaddr);
> +                          ipaddr,
> +                          hasMask ? ipmask : "32");
>          }
>  
>          if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {

ACK.

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]