src/openvz/openvz_conf.c
src/openvz/openvz_driver.c
src/phyp/phyp_driver.c
+src/qemu/qemu_bridge_filter.c
src/qemu/qemu_conf.c
src/qemu/qemu_driver.c
src/qemu/qemu_monitor_text.c
qemu/qemu_conf.c qemu/qemu_conf.h \
qemu/qemu_monitor_text.c \
qemu/qemu_monitor_text.h \
- qemu/qemu_driver.c qemu/qemu_driver.h
+ qemu/qemu_driver.c qemu/qemu_driver.h \
+ qemu/qemu_bridge_filter.c \
+ qemu/qemu_bridge_filter.h
UML_DRIVER_SOURCES = \
uml/uml_conf.c uml/uml_conf.h \
# in a location of $MOUNTPOINT/libvirt/qemu
# hugetlbfs_mount = "/dev/hugepages"
+
+mac_filter = 1
--- /dev/null
+/*
+ * Copyright (C) 2009 IBM Corp.
+ * Copyright (C) 2007-2009 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Gerhard Stenzel <gerhard.stenzel@de.ibm.com>
+ */
+
+#include <config.h>
+
+#include "ebtables.h"
+#include "qemu_conf.h"
+#include "qemu_driver.h"
+#include "util.h"
+#include "virterror_internal.h"
+#include "logging.h"
+
+#include "qemu_bridge_filter.h"
+
+#define VIR_FROM_THIS VIR_FROM_QEMU
+
+int
+networkAddEbtablesRules(struct qemud_driver *driver) {
+ int err;
+
+ /* Set forward policy to DROP */
+ if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) {
+ virReportSystemError(NULL, err,
+ _("failed to add ebtables rule to set default policy to drop on '%s'"),
+ __FILE__);
+ return err;
+ }
+ ebtablesSaveRules(driver->ebtables);
+
+ return 0;
+}
+
+
+int
+networkDisableAllFrames(struct qemud_driver *driver) {
+ int err;
+
+ /* add default rules */
+ if ((err = networkAddEbtablesRules(driver))) {
+ virReportSystemError(NULL, err,
+ _("cannot filter mac addresses on bridge '%s'"),
+ __FILE__);
+ return err;
+ }
+ return 0;
+}
+
+int
+networkAllowMacOnPort(virConnectPtr conn,
+ struct qemud_driver *driver,
+ const char * ifname,
+ const unsigned char * mac) {
+
+ int err;
+
+ /* allow this combination of macaddr and ifname */
+ ebtablesContext * ebtablescontext = driver->ebtables;
+ if ((err = ebtablesAddForwardAllowIn(ebtablescontext,
+ ifname,
+ mac))) {
+ virReportSystemError(conn, err,
+ _("failed to add ebtables rule to allow routing to '%s'"),
+ ifname);
+ }
+
+ return 0;
+}
+
+
+int
+networkDisallowMacOnPort(virConnectPtr conn,
+ struct qemud_driver *driver,
+ const char * ifname,
+ const unsigned char * mac) {
+
+ int err;
+
+ /* disallow this combination of macaddr and ifname */
+ ebtablesContext * ebtablescontext = driver->ebtables;
+ if ((err = ebtablesRemoveForwardAllowIn(ebtablescontext,
+ ifname,
+ mac))) {
+ virReportSystemError(conn, err,
+ _("failed to add ebtables rule to allow routing to '%s'"),
+ ifname);
+ }
+
+ return 0;
+}
--- /dev/null
+/*
+ * Copyright (C) 2009 IBM Corp.
+ * Copyright (C) 2007-2009 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Gerhard Stenzel <gerhard.stenzel@de.ibm.com>
+ */
+
+#ifndef __QEMUD_BRIDGE_FILTER_H__
+#define __QEMUD_BRIDGE_FILTER_H__
+
+
+int networkAllowMacOnPort(virConnectPtr conn,
+ struct qemud_driver *driver,
+ const char * ifname,
+ const unsigned char * mac);
+int networkDisallowMacOnPort(virConnectPtr conn,
+ struct qemud_driver *driver,
+ const char * ifname,
+ const unsigned char * mac);
+int networkDisableAllFrames(struct qemud_driver *driver);
+int networkAddEbtablesRules(struct qemud_driver *driver);
+
+
+#endif /* __QEMUD_BRIDGE_FILTER_H__ */
#include "c-ctype.h"
#include "virterror_internal.h"
#include "qemu_conf.h"
+#include "qemu_bridge_filter.h"
#include "uuid.h"
#include "buf.h"
#include "conf.h"
}
}
+ p = virConfGetValue (conf, "mac_filter");
+ CHECK_TYPE ("mac_filter", VIR_CONF_LONG);
+ if (p) {
+ driver->macFilter = p->l;
+ if (!(driver->ebtables = ebtablesContextNew("qemu"))) {
+ driver->macFilter = 0;
+ virReportSystemError(NULL, errno,
+ _("failed to enable mac filter in in '%s'"),
+ __FILE__);
+ }
+
+ if ((errno = networkDisableAllFrames(driver))) {
+ virReportSystemError(NULL, errno,
+ _("failed to add rule to drop all frames in '%s'"),
+ __FILE__);
+ }
+ }
+
virConfFree (conf);
return 0;
}
tapfd = -1;
}
+ if (driver->macFilter) {
+ if ((err = networkAllowMacOnPort(conn, driver, net->ifname, net->mac))) {
+ virReportSystemError(conn, err,
+ _("failed to add ebtables rule to allow MAC address on '%s'"),
+ net->ifname);
+ }
+ }
+
cleanup:
VIR_FREE(brname);
#include <config.h>
+#include "ebtables.h"
#include "internal.h"
#include "bridge.h"
#include "capabilities.h"
char *hugetlbfs_mount;
char *hugepage_path;
+ unsigned int macFilter : 1;
+ ebtablesContext *ebtables;
+
virCapsPtr caps;
/* An array of callbacks */
#include "qemu_driver.h"
#include "qemu_conf.h"
#include "qemu_monitor_text.h"
+#include "qemu_bridge_filter.h"
#include "c-ctype.h"
#include "event.h"
#include "buf.h"
VIR_DEBUG(_("Shutting down VM '%s'\n"), vm->def->name);
+ if (driver->macFilter) {
+ int i;
+ virDomainDefPtr def = vm->def;
+ for (i = 0 ; i < def->nnets ; i++) {
+ virDomainNetDefPtr net = def->nets[i];
+ if (net->ifname == NULL)
+ continue;
+ if ((errno = networkDisallowMacOnPort(conn, driver, net->ifname,
+ net->mac))) {
+ virReportSystemError(conn, errno,
+ _("failed to remove ebtables rule to allow MAC address on '%s'"),
+ net->ifname);
+ }
+ }
+ }
+
if (virKillProcess(vm->pid, 0) == 0 &&
virKillProcess(vm->pid, SIGTERM) < 0)
virReportSystemError(conn, errno,
projects / libvirt.git / commitdiff