Currently, adding any sort of IPv6 nwfilter rules is rather difficult. There are no standard rules,
and you end up doing a lot of things by hand. This patch makes the $V6LOCAL variable available within
rules. This is the generated from the interface's mac address using the modified EUI-64 format, which
matches what the guest should be using.
This is part of what information is needed to correctly filter guest IPv6 traffic. Since this changes
with the MAC address, it is significantly easier if libvirt populates it (rather then requring the
user to enter it)
---
docs/formatnwfilter.html.in | 9 ++++++---
src/conf/nwfilter_params.h | 1 +
src/nwfilter/nwfilter_gentech_driver.c | 23 +++++++++++++++++++++++
3 files changed, 30 insertions(+), 3 deletions(-)
mode change 100644 => 100755 src/nwfilter/nwfilter_gentech_driver.c
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 45b97f7..aa1ff9f 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -239,9 +239,9 @@
<h3><a name="nwfconceptsvars">Usage of variables in filters</a></h3>
<p>
- Two variables names have so far been reserved for usage by the
- network traffic filtering subsystem: <code>MAC</code> and
- <code>IP</code>.
+ Three variables names have so far been reserved for usage by the
+ network traffic filtering subsystem: <code>MAC</code>,
+ <code>IP</code>, and <code>V6LOCAL</code>
<br/><br/>
<code>MAC</code> is the MAC address of the
network interface. A filtering rule that references this variable
@@ -251,6 +251,9 @@
parameter similar to the IP parameter above, it is discouraged
since libvirt knows what MAC address an interface will be using.
<br/><br/>
+ <code>V6LOCAL</code> is the computed IPv6 link-local address.
+ This is based on the MAC variable
+ <br/><br/>
The parameter <code>IP</code> represents the IP address
that the operating system inside the virtual machine is expected
to use on the given interface. The <code>IP</code> parameter
diff --git a/src/conf/nwfilter_params.h b/src/conf/nwfilter_params.h
index 5e9777b..f61250f 100644
--- a/src/conf/nwfilter_params.h
+++ b/src/conf/nwfilter_params.h
@@ -98,6 +98,7 @@ bool virNWFilterHashTableEqual(virNWFilterHashTablePtr a,
# define NWFILTER_VARNAME_IP "IP"
# define NWFILTER_VARNAME_MAC "MAC"
+# define NWFILTER_VARNAME_V6LOCAL "V6LOCAL"
# define NWFILTER_VARNAME_CTRL_IP_LEARNING "CTRL_IP_LEARNING"
# define NWFILTER_VARNAME_DHCPSERVER "DHCPSERVER"
diff --git a/src/nwfilter/nwfilter_gentech_driver.c b/src/nwfilter/nwfilter_gentech_driver.c
old mode 100644
new mode 100755
index 1ce5e70..a86dae8
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -45,6 +45,7 @@ VIR_LOG_INIT("nwfilter.nwfilter_gentech_driver");
#define NWFILTER_STD_VAR_MAC NWFILTER_VARNAME_MAC
#define NWFILTER_STD_VAR_IP NWFILTER_VARNAME_IP
+#define NWFILTER_STD_VAR_V6LOCAL NWFILTER_VARNAME_V6LOCAL
#define NWFILTER_DFLT_LEARN "any"
@@ -163,6 +164,28 @@ virNWFilterVarHashmapAddStdValues(virNWFilterHashTablePtr table,
"%s", _("Could not add variable 'MAC' to hashmap"));
return -1;
}
+
+ virMacAddr parsedMac;
+ if (virMacAddrParse(macaddr, &parsedMac) == 0)
+ {
+ parsedMac.addr[0] ^= 2;
+
+ char euiMacAddr[26];
+ snprintf(euiMacAddr, sizeof(euiMacAddr), "fe80::%x%x:%xff:fe%x:%x%x", parsedMac.addr[0], parsedMac.addr[1], parsedMac.addr[2],
+ parsedMac.addr[3], parsedMac.addr[4], parsedMac.addr[5]);
+
+ val = virNWFilterVarValueCreateSimpleCopyValue(euiMacAddr);
+ if (!val)
+ return -1;
+
+ if (virHashAddEntry(table->hashTable,
+ NWFILTER_STD_VAR_V6LOCAL,
+ val) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("Could not add variable 'V6LOCAL' to hashmap"));
+ return -1;
+ }
+ }
}
if (ipaddr) {
--
1.7.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list