network: new network forward mode 'open'

author Laine Stump <laine@laine.org>

Wed, 10 Aug 2016 23:09:55 +0000 (19:09 -0400)

committer Laine Stump <laine@laine.org>

Sat, 20 Aug 2016 01:05:15 +0000 (21:05 -0400)
author Laine Stump <laine@laine.org>
Wed, 10 Aug 2016 23:09:55 +0000 (19:09 -0400)
committer Laine Stump <laine@laine.org>
Sat, 20 Aug 2016 01:05:15 +0000 (21:05 -0400)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in

index a9226e52ea6bda637bfac37aa78a04ff8ef826ec..12d1bed1d422f8b38ab75fd43a1e5e1e40f14d85 100644 (file)
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -260,6 +260,28 @@
              <span class="since">Since 0.4.2</span>
            </dd>
  
+          <dt><code>open</code></dt>
+          <dd>
+            As with mode='route', guest network traffic will be
+            forwarded to the physical network via the host's IP
+            routing stack, but there will be no firewall rules added
+            to either enable or prevent any of this traffic. When
+            forward='open' is set, the <code>dev</code> attribute
+            cannot be set (because the forward dev is enforced with
+            firewall rules, and the purpose of forward='open' is to
+            have a forwarding mode where libvirt doesn't add any
+            firewall rules).  This mode presumes that the local LAN
+            router has suitable routing table entries to return
+            traffic to this host, and that some other management
+            system has been used to put in place any necessary
+            firewall rules. Although no firewall rules will be added
+            for the network, it is of course still possible to add
+            restrictions for specific guests using
+            <a href="formatnwfilter.html">nwfilter rules</a> on the
+            guests' interfaces.)
+            <span class="since">Since 2.2.0</span>
+          </dd>
+
            <dt><code>bridge</code></dt>
            <dd>
              This network describes either 1) an existing host bridge
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng

index c2c51aea4d4d5bb523c14755efe4d300a6025582..621f16e964bf5823d187df97ae3dc2908d3232b9 100644 (file)
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -103,6 +103,7 @@
                  <choice>
                    <value>nat</value>
                    <value>route</value>
+                  <value>open</value>
                    <value>bridge</value>
                    <value>passthrough</value>
                    <value>private</value>
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c

index a75ca7192c7929456fc95ddf3b47c1e0f7c416b5..6820bdec52d7f85596a3d5abd9f37f1d4ad97e7c 100644 (file)
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -57,7 +57,9 @@ struct _virNetworkObjList {
  
  VIR_ENUM_IMPL(virNetworkForward,
                VIR_NETWORK_FORWARD_LAST,
-              "none", "nat", "route", "bridge", "private", "vepa", "passthrough", "hostdev")
+              "none", "nat", "route", "open",
+              "bridge", "private", "vepa", "passthrough",
+              "hostdev")
  
  VIR_ENUM_IMPL(virNetworkBridgeMACTableManager,
                VIR_NETWORK_BRIDGE_MAC_TABLE_MANAGER_LAST,
@@ -2333,6 +2335,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
  
      case VIR_NETWORK_FORWARD_ROUTE:
      case VIR_NETWORK_FORWARD_NAT:
+    case VIR_NETWORK_FORWARD_OPEN:
          /* It's pointless to specify L3 forwarding without specifying
           * the network we're on.
           */
@@ -2351,6 +2354,19 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
                             def->name);
              goto error;
          }
+
+        if (def->forward.type == VIR_NETWORK_FORWARD_OPEN && def->forward.nifs) {
+            /* an open network by definition can't place any restrictions
+             * on what traffic is allowed or where it goes, so specifying
+             * a forwarding device is nonsensical.
+             */
+            virReportError(VIR_ERR_XML_ERROR,
+                           _("forward dev not allowed for "
+                             "network '%s' with forward mode='%s'"),
+                           def->name,
+                           virNetworkForwardTypeToString(def->forward.type));
+            goto error;
+        }
          break;
  
      case VIR_NETWORK_FORWARD_PRIVATE:
@@ -2856,13 +2872,15 @@ virNetworkDefFormatBuf(virBufferPtr buf,
      if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||
          def->forward.type == VIR_NETWORK_FORWARD_NAT ||
          def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||
+        def->forward.type == VIR_NETWORK_FORWARD_OPEN ||
          def->bridge || def->macTableManager) {
  
          virBufferAddLit(buf, "<bridge");
          virBufferEscapeString(buf, " name='%s'", def->bridge);
          if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||
              def->forward.type == VIR_NETWORK_FORWARD_NAT ||
-            def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+            def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||
+            def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
              virBufferAsprintf(buf, " stp='%s' delay='%ld'",
                                def->stp ? "on" : "off", def->delay);
          }
@@ -3235,7 +3253,8 @@ virNetworkObjPtr virNetworkLoadConfig(virNetworkObjListPtr nets,
  
      if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||
          def->forward.type == VIR_NETWORK_FORWARD_NAT ||
-        def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+        def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||
+        def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
  
          if (!def->mac_specified) {
              virNetworkSetBridgeMacAddr(def);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h

index 78148890c2991e2816a820de35550c0f4949b972..1ce4257c343cd5ec3a74d3963cd3f008e532757d 100644 (file)
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -46,6 +46,7 @@ typedef enum {
      VIR_NETWORK_FORWARD_NONE   = 0,
      VIR_NETWORK_FORWARD_NAT,
      VIR_NETWORK_FORWARD_ROUTE,
+    VIR_NETWORK_FORWARD_OPEN,
      VIR_NETWORK_FORWARD_BRIDGE,
      VIR_NETWORK_FORWARD_PRIVATE,
      VIR_NETWORK_FORWARD_VEPA,
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c

index 87019cb44f8b16b2e2e8f195a71d465fbfadf3ce..23036e843acd3add3efd8ced9bb4f04b67bf791d 100644 (file)
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -400,6 +400,7 @@ networkUpdateState(virNetworkObjPtr obj,
      case VIR_NETWORK_FORWARD_NONE:
      case VIR_NETWORK_FORWARD_NAT:
      case VIR_NETWORK_FORWARD_ROUTE:
+    case VIR_NETWORK_FORWARD_OPEN:
          /* If bridge doesn't exist, then mark it inactive */
          if (!(obj->def->bridge && virNetDevExists(obj->def->bridge) == 1))
              obj->active = 0;
@@ -1822,7 +1823,8 @@ networkRefreshDaemonsHelper(virNetworkObjPtr net,
      if (virNetworkObjIsActive(net) &&
          ((net->def->forward.type == VIR_NETWORK_FORWARD_NONE) ||
           (net->def->forward.type == VIR_NETWORK_FORWARD_NAT) ||
-         (net->def->forward.type == VIR_NETWORK_FORWARD_ROUTE))) {
+         (net->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) ||
+         (net->def->forward.type == VIR_NETWORK_FORWARD_OPEN))) {
          /* Only the three L3 network types that are configured by
           * libvirt will have a dnsmasq or radvd daemon associated
           * with them.  Here we send a SIGHUP to an existing
@@ -1858,8 +1860,10 @@ networkReloadFirewallRulesHelper(virNetworkObjPtr net,
          ((net->def->forward.type == VIR_NETWORK_FORWARD_NONE) ||
           (net->def->forward.type == VIR_NETWORK_FORWARD_NAT) ||
           (net->def->forward.type == VIR_NETWORK_FORWARD_ROUTE))) {
-        /* Only the three L3 network types that are configured by libvirt
-         * need to have iptables rules reloaded.
+        /* Only three of the L3 network types that are configured by
+         * libvirt need to have iptables rules reloaded. The 4th L3
+         * network type, forward='open', doesn't need this because it
+         * has no iptables rules.
           */
          networkRemoveFirewallRules(net->def);
          if (networkAddFirewallRules(net->def) < 0) {
@@ -2142,7 +2146,8 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,
          goto err1;
  
      /* Add "once per network" rules */
-    if (networkAddFirewallRules(network->def) < 0)
+    if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN &&
+        networkAddFirewallRules(network->def) < 0)
          goto err1;
  
      for (i = 0;
@@ -2244,7 +2249,8 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,
   err2:
      if (!save_err)
          save_err = virSaveLastError();
-    networkRemoveFirewallRules(network->def);
+    if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN)
+        networkRemoveFirewallRules(network->def);
  
   err1:
      if (!save_err)
@@ -2300,7 +2306,8 @@ networkShutdownNetworkVirtual(virNetworkDriverStatePtr driver,
  
      ignore_value(virNetDevSetOnline(network->def->bridge, 0));
  
-    networkRemoveFirewallRules(network->def);
+    if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN)
+        networkRemoveFirewallRules(network->def);
  
      ignore_value(virNetDevBridgeDelete(network->def->bridge));
  
@@ -2407,6 +2414,7 @@ networkCreateInterfacePool(virNetworkDefPtr netdef)
          case VIR_NETWORK_FORWARD_NONE:
          case VIR_NETWORK_FORWARD_NAT:
          case VIR_NETWORK_FORWARD_ROUTE:
+        case VIR_NETWORK_FORWARD_OPEN:
          case VIR_NETWORK_FORWARD_LAST:
              /* by definition these will never be encountered here */
              break;
@@ -2500,6 +2508,7 @@ networkStartNetwork(virNetworkDriverStatePtr driver,
      case VIR_NETWORK_FORWARD_NONE:
      case VIR_NETWORK_FORWARD_NAT:
      case VIR_NETWORK_FORWARD_ROUTE:
+    case VIR_NETWORK_FORWARD_OPEN:
          if (networkStartNetworkVirtual(driver, network) < 0)
              goto cleanup;
          break;
@@ -2578,6 +2587,7 @@ networkShutdownNetwork(virNetworkDriverStatePtr driver,
      case VIR_NETWORK_FORWARD_NONE:
      case VIR_NETWORK_FORWARD_NAT:
      case VIR_NETWORK_FORWARD_ROUTE:
+    case VIR_NETWORK_FORWARD_OPEN:
          ret = networkShutdownNetworkVirtual(driver, network);
          break;
  
@@ -2926,7 +2936,8 @@ networkValidate(virNetworkDriverStatePtr driver,
       */
      if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||
          def->forward.type == VIR_NETWORK_FORWARD_NAT ||
-        def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+        def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||
+        def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
  
          /* if no bridge name was given in the config, find a name
           * unused by any other libvirt networks and assign it.
@@ -3367,8 +3378,10 @@ networkUpdate(virNetworkPtr net,
                   * old rules (and remember to load new ones after the
                   * update).
                   */
-                networkRemoveFirewallRules(network->def);
-                needFirewallRefresh = true;
+                if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN) {
+                    networkRemoveFirewallRules(network->def);
+                    needFirewallRefresh = true;
+                }
                  break;
              default:
                  break;
@@ -4050,7 +4063,8 @@ networkAllocateActualDevice(virDomainDefPtr dom,
  
      if ((netdef->forward.type == VIR_NETWORK_FORWARD_NONE) ||
          (netdef->forward.type == VIR_NETWORK_FORWARD_NAT) ||
-        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE)) {
+        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE) ||
+        (netdef->forward.type == VIR_NETWORK_FORWARD_OPEN)) {
          /* for these forward types, the actual net type really *is*
           * NETWORK; we just keep the info from the portgroup in
           * iface->data.network.actual
@@ -4594,7 +4608,8 @@ networkReleaseActualDevice(virDomainDefPtr dom,
      if (iface->data.network.actual &&
          (netdef->forward.type == VIR_NETWORK_FORWARD_NONE ||
           netdef->forward.type == VIR_NETWORK_FORWARD_NAT ||
-         netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE) &&
+         netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE ||
+         netdef->forward.type == VIR_NETWORK_FORWARD_OPEN) &&
          networkUnplugBandwidth(network, iface) < 0)
          goto error;
  
@@ -4741,6 +4756,7 @@ networkGetNetworkAddress(const char *netname, char **netaddr)
      case VIR_NETWORK_FORWARD_NONE:
      case VIR_NETWORK_FORWARD_NAT:
      case VIR_NETWORK_FORWARD_ROUTE:
+    case VIR_NETWORK_FORWARD_OPEN:
          ipdef = virNetworkDefGetIPByIndex(netdef, AF_UNSPEC, 0);
          if (!ipdef) {
              virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -4824,7 +4840,8 @@ networkGetActualType(virDomainNetDefPtr iface)
  
      if ((netdef->forward.type == VIR_NETWORK_FORWARD_NONE) ||
          (netdef->forward.type == VIR_NETWORK_FORWARD_NAT) ||
-        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE)) {
+        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE) ||
+        (netdef->forward.type == VIR_NETWORK_FORWARD_OPEN)) {
          /* for these forward types, the actual net type really *is*
           * NETWORK; we just keep the info from the portgroup in
           * iface->data.network.actual
diff --git a/tests/networkxml2confdata/open-network.conf b/tests/networkxml2confdata/open-network.conf

new file mode 100644 (file)

index 0000000..ff09984
--- /dev/null
+++ b/tests/networkxml2confdata/open-network.conf
@@ -0,0 +1,11 @@
+##WARNING:  THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+##OVERWRITTEN AND LOST.  Changes to this configuration should be made using:
+##    virsh net-edit open
+## or other application using the libvirt API.
+##
+## dnsmasq conf file created by libvirt
+strict-order
+except-interface=lo
+bind-dynamic
+interface=virbr1
+addn-hosts=/var/lib/libvirt/dnsmasq/open.addnhosts
diff --git a/tests/networkxml2confdata/open-network.xml b/tests/networkxml2confdata/open-network.xml

new file mode 100644 (file)

index 0000000..e0b3f03
--- /dev/null
+++ b/tests/networkxml2confdata/open-network.xml
@@ -0,0 +1,9 @@
+<network>
+  <name>open</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <forward mode='open'/>
+  <bridge name='virbr1' stp='on' delay='0'/>
+  <mac address='12:34:56:78:9A:BC'/>
+  <ip address='192.168.122.1' netmask='255.255.255.0'>
+  </ip>
+</network>
diff --git a/tests/networkxml2conftest.c b/tests/networkxml2conftest.c

index 69b55ed53c3d6bc2bfbd48049767e3cf35f22bfd..a4223108f104e8de8e27471e4f6cf06aceb7300a 100644 (file)
--- a/tests/networkxml2conftest.c
+++ b/tests/networkxml2conftest.c
@@ -117,6 +117,7 @@ mymain(void)
      DO_TEST("nat-network-dns-srv-record-minimal", restricted);
      DO_TEST("nat-network-name-with-quotes", restricted);
      DO_TEST("routed-network", full);
+    DO_TEST("open-network", full);
      DO_TEST("nat-network", dhcpv6);
      DO_TEST("nat-network-dns-txt-record", full);
      DO_TEST("nat-network-dns-srv-record", full);
diff --git a/tests/networkxml2xmlin/open-network-with-forward-dev.xml b/tests/networkxml2xmlin/open-network-with-forward-dev.xml

new file mode 100644 (file)

index 0000000..33e8bb5
--- /dev/null
+++ b/tests/networkxml2xmlin/open-network-with-forward-dev.xml
@@ -0,0 +1,9 @@
+<network>
+  <name>open</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <bridge name="virbr1"/>
+  <mac address='12:34:56:78:9A:BC'/>
+  <forward mode="open" dev="eth0"/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+  </ip>
+</network>
diff --git a/tests/networkxml2xmlin/open-network.xml b/tests/networkxml2xmlin/open-network.xml

new file mode 100644 (file)

index 0000000..2e4b9b2
--- /dev/null
+++ b/tests/networkxml2xmlin/open-network.xml
@@ -0,0 +1,9 @@
+<network>
+  <name>open</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <bridge name="virbr1"/>
+  <mac address='12:34:56:78:9A:BC'/>
+  <forward mode="open"/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+  </ip>
+</network>
diff --git a/tests/networkxml2xmlout/open-network.xml b/tests/networkxml2xmlout/open-network.xml

new file mode 100644 (file)

index 0000000..29e9684
--- /dev/null
+++ b/tests/networkxml2xmlout/open-network.xml
@@ -0,0 +1,9 @@
+<network>
+  <name>open</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <forward mode='open'/>
+  <bridge name='virbr1' stp='on' delay='0'/>
+  <mac address='12:34:56:78:9a:bc'/>
+  <ip address='192.168.122.1' netmask='255.255.255.0'>
+  </ip>
+</network>
diff --git a/tests/networkxml2xmltest.c b/tests/networkxml2xmltest.c

index 2a2c3484302c4a926c0ad364bf750f8ed3a550df..32544d056804c527ad3089cda3640dce79690c26 100644 (file)
--- a/tests/networkxml2xmltest.c
+++ b/tests/networkxml2xmltest.c
@@ -127,6 +127,8 @@ mymain(void)
      DO_TEST("empty-allow-ipv6");
      DO_TEST("isolated-network");
      DO_TEST("routed-network");
+    DO_TEST("open-network");
+    DO_TEST_PARSE_ERROR("open-network-with-forward-dev");
      DO_TEST("nat-network");
      DO_TEST("netboot-network");
      DO_TEST("netboot-proxy-network");
author	Laine Stump <laine@laine.org>
	Wed, 10 Aug 2016 23:09:55 +0000 (19:09 -0400)
committer	Laine Stump <laine@laine.org>
	Sat, 20 Aug 2016 01:05:15 +0000 (21:05 -0400)
docs/formatnetwork.html.in		patch \| blob \| blame \| history
docs/schemas/network.rng		patch \| blob \| blame \| history
src/conf/network_conf.c		patch \| blob \| blame \| history
src/conf/network_conf.h		patch \| blob \| blame \| history
src/network/bridge_driver.c		patch \| blob \| blame \| history
tests/networkxml2confdata/open-network.conf	[new file with mode: 0644]	patch \| blob
tests/networkxml2confdata/open-network.xml	[new file with mode: 0644]	patch \| blob
tests/networkxml2conftest.c		patch \| blob \| blame \| history
tests/networkxml2xmlin/open-network-with-forward-dev.xml	[new file with mode: 0644]	patch \| blob
tests/networkxml2xmlin/open-network.xml	[new file with mode: 0644]	patch \| blob
tests/networkxml2xmlout/open-network.xml	[new file with mode: 0644]	patch \| blob
tests/networkxml2xmltest.c		patch \| blob \| blame \| history