Add support for STP filtering

author Stefan Berger <stefanb@linux.vnet.ibm.com>

Tue, 22 Nov 2011 20:12:03 +0000 (15:12 -0500)

committer Stefan Berger <stefanb@us.ibm.com>

Tue, 22 Nov 2011 20:12:03 +0000 (15:12 -0500)
author Stefan Berger <stefanb@linux.vnet.ibm.com>
Tue, 22 Nov 2011 20:12:03 +0000 (15:12 -0500)
committer Stefan Berger <stefanb@us.ibm.com>
Tue, 22 Nov 2011 20:12:03 +0000 (15:12 -0500)
diff --git a/docs/schemas/nwfilter.rng b/docs/schemas/nwfilter.rng

index 5fd4860b2631080e56e3de570c1836f39d01dd15..6a9c7bc108391cb4cf5cb5f337abe9ac8df35214 100644 (file)
--- a/docs/schemas/nwfilter.rng
+++ b/docs/schemas/nwfilter.rng
@@ -38,6 +38,16 @@
                  </element>
                </zeroOrMore>
              </optional>
+            <optional>
+              <zeroOrMore>
+                <element name="stp">
+                  <ref name="match-attribute"/>
+                  <ref name="srcmacandmask-attributes"/>
+                  <ref name="stp-attributes"/>
+                  <ref name="comment-attribute"/>
+                </element>
+              </zeroOrMore>
+            </optional>
              <optional>
                <zeroOrMore>
                  <element name="arp">
@@ -299,6 +309,9 @@
            <data type="string">
              <param name="pattern">mac[a-zA-Z0-9_\.:-]{0,9}</param>
            </data>
+          <data type="string">
+            <param name="pattern">stp[a-zA-Z0-9_\.:-]{0,9}</param>
+          </data>
            <data type="string">
              <param name="pattern">vlan[a-zA-Z0-9_\.:-]{0,8}</param>
            </data>
@@ -382,7 +395,7 @@
      </interleave>
    </define>
  
-  <define name="common-l2-attributes">
+  <define name="srcmacandmask-attributes">
      <interleave>
        <ref name="srcmac-attribute"/>
        <optional>
@@ -390,6 +403,12 @@
             <ref name="addrMAC"/>
           </attribute>
        </optional>
+    </interleave>
+  </define>
+
+  <define name="common-l2-attributes">
+    <interleave>
+      <ref name="srcmacandmask-attributes"/>
        <optional>
           <attribute name="dstmacaddr">
             <ref name="addrMAC"/>
@@ -588,6 +607,119 @@
      </interleave>
    </define>
  
+  <define name="stp-attributes">
+    <optional>
+      <attribute name="type">
+        <ref name="uint8range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="flags">
+        <ref name="uint8range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="root-priority">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="root-priority-hi">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="root-address">
+        <ref name="addrMAC"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="root-address-mask">
+        <ref name="addrMAC"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="root-cost">
+        <ref name="uint32range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="root-cost-hi">
+        <ref name="uint32range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="sender-priority">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="sender-priority-hi">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="sender-address">
+        <ref name="addrMAC"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="sender-address-mask">
+        <ref name="addrMAC"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="port">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="port-hi">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="age">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="age-hi">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="max-age">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="max-age-hi">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="hello-time">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="hello-time-hi">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="forward-delay">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="forward-delay-hi">
+        <ref name="uint16range"/>
+      </attribute>
+    </optional>
+  </define>
+
    <define name="arp-attributes">
      <interleave>
        <optional>
@@ -852,6 +984,24 @@
      </choice>
    </define>
  
+  <define name="uint32range">
+    <choice>
+      <!-- variable -->
+      <data type="string">
+        <param name="pattern">$[a-zA-Z0-9_]+</param>
+      </data>
+
+      <data type="string">
+        <param name="pattern">0x[0-9a-fA-F]{1,8}</param>
+      </data>
+
+      <data type="int">
+        <param name="minInclusive">0</param>
+        <param name="maxInclusive">4294967295</param>
+      </data>
+    </choice>
+  </define>
+
    <define name="boolean">
      <choice>
        <value>yes</value>
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c

index 1321f8b1c061b1344c3fbf894fa80bb1c68c8f0b..9a97dae7760befc6323ed58176f57186b4a5a7cc 100644 (file)
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -84,6 +84,7 @@ VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
                "root",
                "mac",
                "vlan",
+              "stp",
                "arp",
                "rarp",
                "ipv4",
@@ -93,6 +94,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, VIR_NWFILTER_RULE_PROTOCOL_LAST,
                "none",
                "mac",
                "vlan",
+              "stp",
                "arp",
                "rarp",
                "ip",
@@ -1047,6 +1049,138 @@ static const virXMLAttr2Struct vlanAttributes[] = {
      }
  };
  
+/* STP is documented by IEEE 802.1D; for a synopsis,
+ * see http://www.javvin.com/protocolSTP.html */
+static const virXMLAttr2Struct stpAttributes[] = {
+    /* spanning tree uses a special destination MAC address */
+    {
+        .name = SRCMACADDR,
+        .datatype = DATATYPE_MACADDR,
+        .dataIdx = offsetof(virNWFilterRuleDef,
+                            p.stpHdrFilter.ethHdr.dataSrcMACAddr),
+    },
+    {
+        .name = SRCMACMASK,
+        .datatype = DATATYPE_MACMASK,
+        .dataIdx = offsetof(virNWFilterRuleDef,
+                            p.stpHdrFilter.ethHdr.dataSrcMACMask),
+    },
+    {
+        .name = "type",
+        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataType),
+    },
+    {
+        .name = "flags",
+        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataFlags),
+    },
+    {
+        .name = "root-priority",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataRootPri),
+    },
+    {
+        .name = "root-priority-hi",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataRootPriHi),
+    },
+    {
+        .name = "root-address",
+        .datatype = DATATYPE_MACADDR,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataRootAddr),
+    },
+    {
+        .name = "root-address-mask",
+        .datatype = DATATYPE_MACMASK,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataRootAddrMask),
+    },
+    {
+        .name = "root-cost",
+        .datatype = DATATYPE_UINT32 | DATATYPE_UINT32_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataRootCost),
+    },
+    {
+        .name = "root-cost-hi",
+        .datatype = DATATYPE_UINT32 | DATATYPE_UINT32_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataRootCostHi),
+    },
+    {
+        .name = "sender-priority",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataSndrPrio),
+    },
+    {
+        .name = "sender-priority-hi",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataSndrPrioHi),
+    },
+    {
+        .name = "sender-address",
+        .datatype = DATATYPE_MACADDR,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataSndrAddr),
+    },
+    {
+        .name = "sender-address-mask",
+        .datatype = DATATYPE_MACMASK,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataSndrAddrMask),
+    },
+    {
+        .name = "port",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataPort),
+    },
+    {
+        .name = "port-hi",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataPortHi),
+    },
+    {
+        .name = "age",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataAge),
+    },
+    {
+        .name = "age-hi",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataAgeHi),
+    },
+    {
+        .name = "max-age",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataMaxAge),
+    },
+    {
+        .name = "max-age-hi",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataMaxAgeHi),
+    },
+    {
+        .name = "hello-time",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataHelloTime),
+    },
+    {
+        .name = "hello-time-hi",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataHelloTimeHi),
+    },
+    {
+        .name = "forward-delay",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataFwdDelay),
+    },
+    {
+        .name = "forward-delay-hi",
+        .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.stpHdrFilter.dataFwdDelayHi),
+    },
+    COMMENT_PROP(stpHdrFilter),
+    {
+        .name = NULL,
+    }
+};
+
  static const virXMLAttr2Struct arpAttributes[] = {
      COMMON_MAC_PROPS(arpHdrFilter),
      {
@@ -1505,6 +1639,7 @@ static const virAttributes virAttr[] = {
      PROTOCOL_ENTRY("rarp"   , arpAttributes    , VIR_NWFILTER_RULE_PROTOCOL_RARP),
      PROTOCOL_ENTRY("mac"    , macAttributes    , VIR_NWFILTER_RULE_PROTOCOL_MAC),
      PROTOCOL_ENTRY("vlan"   , vlanAttributes   , VIR_NWFILTER_RULE_PROTOCOL_VLAN),
+    PROTOCOL_ENTRY("stp"    , stpAttributes   ,  VIR_NWFILTER_RULE_PROTOCOL_STP),
      PROTOCOL_ENTRY("ip"     , ipAttributes     , VIR_NWFILTER_RULE_PROTOCOL_IP),
      PROTOCOL_ENTRY("ipv6"   , ipv6Attributes   , VIR_NWFILTER_RULE_PROTOCOL_IPV6),
      PROTOCOL_ENTRY("tcp"    , tcpAttributes    , VIR_NWFILTER_RULE_PROTOCOL_TCP),
@@ -1628,6 +1763,18 @@ virNWFilterRuleDetailsParse(xmlNodePtr node,
                                  rc = -1;
                          break;
  
+                        case DATATYPE_UINT32_HEX:
+                            base = 16;
+                            /* fallthrough */
+                        case DATATYPE_UINT32:
+                            if (virStrToLong_ui(prop, NULL, base, &uint_val) >= 0) {
+                                item->u.u32 = uint_val;
+                                found = 1;
+                                data.ui = uint_val;
+                            } else
+                                rc = -1;
+                        break;
+
                          case DATATYPE_IPADDR:
                              if (virSocketAddrParseIPv4(&item->u.ipaddr, prop) < 0)
                                  rc = -1;
@@ -1839,6 +1986,31 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule)
                        rule->p.vlanHdrFilter.ethHdr.dataDstMACAddr);
      break;
  
+    case VIR_NWFILTER_RULE_PROTOCOL_STP:
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.ethHdr.dataSrcMACMask,
+                      rule->p.stpHdrFilter.ethHdr.dataSrcMACAddr);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataRootPriHi,
+                      rule->p.stpHdrFilter.dataRootPri);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataRootAddrMask,
+                      rule->p.stpHdrFilter.dataRootAddr);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataRootCostHi,
+                      rule->p.stpHdrFilter.dataRootCost);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataSndrPrioHi,
+                      rule->p.stpHdrFilter.dataSndrPrio);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataSndrAddrMask,
+                      rule->p.stpHdrFilter.dataSndrAddr);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataPortHi,
+                      rule->p.stpHdrFilter.dataPort);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataAgeHi,
+                      rule->p.stpHdrFilter.dataAge);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataMaxAgeHi,
+                      rule->p.stpHdrFilter.dataMaxAge);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataHelloTimeHi,
+                      rule->p.stpHdrFilter.dataHelloTime);
+        COPY_NEG_SIGN(rule->p.stpHdrFilter.dataFwdDelayHi,
+                      rule->p.stpHdrFilter.dataFwdDelay);
+    break;
+
      case VIR_NWFILTER_RULE_PROTOCOL_IP:
          COPY_NEG_SIGN(rule->p.ipHdrFilter.ipHdr.dataSrcIPMask,
                        rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr);
@@ -2921,6 +3093,14 @@ virNWFilterRuleDefDetailsFormat(virBufferPtr buf,
                                       item->u.u16);
                 break;
  
+               case DATATYPE_UINT32_HEX:
+                   asHex = true;
+                   /* fallthrough */
+               case DATATYPE_UINT32:
+                   virBufferAsprintf(buf, asHex ? "0x%x" : "%u",
+                                     item->u.u32);
+               break;
+
                 case DATATYPE_IPADDR:
                 case DATATYPE_IPV6ADDR:
                     virNWIPAddressFormat(buf,
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h

index a7e7a13dc284f245a1345059b1924cbe7f0a9c98..61923aa5a414c8e7afb784a024bb76759943b251 100644 (file)
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -101,10 +101,14 @@ enum attrDatatype {
      DATATYPE_IPV6MASK         = (1 << 10),
      DATATYPE_STRINGCOPY       = (1 << 11),
      DATATYPE_BOOLEAN          = (1 << 12),
+    DATATYPE_UINT32           = (1 << 13),
+    DATATYPE_UINT32_HEX       = (1 << 14),
  
-    DATATYPE_LAST             = (1 << 13),
+    DATATYPE_LAST             = (1 << 15),
  };
  
+# define NWFILTER_MAC_BGA "01:80:c2:00:00:00"
+
  
  typedef struct _nwMACAddress nwMACAddress;
  typedef nwMACAddress *nwMACAddressPtr;
@@ -125,6 +129,7 @@ struct _nwItemDesc {
          bool         boolean;
          uint8_t      u8;
          uint16_t     u16;
+        uint32_t     u32;
          char         protocolID[10];
          char         *string;
          struct {
@@ -164,6 +169,36 @@ struct _vlanHdrFilterDef {
  };
  
  
+typedef struct _stpHdrFilterDef  stpHdrFilterDef;
+typedef stpHdrFilterDef *stpHdrFilterDefPtr;
+struct _stpHdrFilterDef {
+    ethHdrDataDef ethHdr;
+    nwItemDesc dataType;
+    nwItemDesc dataFlags;
+    nwItemDesc dataRootPri;
+    nwItemDesc dataRootPriHi;
+    nwItemDesc dataRootAddr;
+    nwItemDesc dataRootAddrMask;
+    nwItemDesc dataRootCost;
+    nwItemDesc dataRootCostHi;
+    nwItemDesc dataSndrPrio;
+    nwItemDesc dataSndrPrioHi;
+    nwItemDesc dataSndrAddr;
+    nwItemDesc dataSndrAddrMask;
+    nwItemDesc dataPort;
+    nwItemDesc dataPortHi;
+    nwItemDesc dataAge;
+    nwItemDesc dataAgeHi;
+    nwItemDesc dataMaxAge;
+    nwItemDesc dataMaxAgeHi;
+    nwItemDesc dataHelloTime;
+    nwItemDesc dataHelloTimeHi;
+    nwItemDesc dataFwdDelay;
+    nwItemDesc dataFwdDelayHi;
+    nwItemDesc dataComment;
+};
+
+
  typedef struct _arpHdrFilterDef  arpHdrFilterDef;
  typedef arpHdrFilterDef *arpHdrFilterDefPtr;
  struct _arpHdrFilterDef {
@@ -337,6 +372,7 @@ enum virNWFilterRuleProtocolType {
      VIR_NWFILTER_RULE_PROTOCOL_NONE = 0,
      VIR_NWFILTER_RULE_PROTOCOL_MAC,
      VIR_NWFILTER_RULE_PROTOCOL_VLAN,
+    VIR_NWFILTER_RULE_PROTOCOL_STP,
      VIR_NWFILTER_RULE_PROTOCOL_ARP,
      VIR_NWFILTER_RULE_PROTOCOL_RARP,
      VIR_NWFILTER_RULE_PROTOCOL_IP,
@@ -378,6 +414,7 @@ enum virNWFilterEbtablesTableType {
  # define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY
  
  # define NWFILTER_ROOT_FILTER_PRI 0
+# define NWFILTER_STP_FILTER_PRI  -810
  # define NWFILTER_MAC_FILTER_PRI  -800
  # define NWFILTER_VLAN_FILTER_PRI -750
  # define NWFILTER_IPV4_FILTER_PRI -700
@@ -418,6 +455,7 @@ struct _virNWFilterRuleDef {
      union {
          ethHdrFilterDef  ethHdrFilter;
          vlanHdrFilterDef vlanHdrFilter;
+        stpHdrFilterDef stpHdrFilter;
          arpHdrFilterDef  arpHdrFilter; /* also used for rarp */
          ipHdrFilterDef   ipHdrFilter;
          ipv6HdrFilterDef ipv6HdrFilter;
@@ -459,6 +497,7 @@ enum virNWFilterChainSuffixType {
      VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
      VIR_NWFILTER_CHAINSUFFIX_MAC,
      VIR_NWFILTER_CHAINSUFFIX_VLAN,
+    VIR_NWFILTER_CHAINSUFFIX_STP,
      VIR_NWFILTER_CHAINSUFFIX_ARP,
      VIR_NWFILTER_CHAINSUFFIX_RARP,
      VIR_NWFILTER_CHAINSUFFIX_IPv4,
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms

index 2cf50d30b037a9aecc148f7eaa688a7c86fcb252..1c64311e55854a49e71b7c4aea1d6a2c559a518e 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -830,6 +830,7 @@ virNWFilterPrintStateMatchFlags;
  virNWFilterPrintTCPFlags;
  virNWFilterRegisterCallbackDriver;
  virNWFilterRuleActionTypeToString;
+virNWFilterRuleDirectionTypeToString;
  virNWFilterRuleProtocolTypeToString;
  virNWFilterTestUnassignDef;
  virNWFilterUnlockFilterUpdates;
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c

index 73b62f43e1334068161918c5c619d4bebcdd0143..54f76562ad360a8cb91530cbcbebb5c3d5129acd 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -41,6 +41,7 @@
  #include "virfile.h"
  #include "command.h"
  #include "configmake.h"
+#include "intprops.h"
  
  
  #define VIR_FROM_THIS VIR_FROM_NWFILTER
@@ -190,6 +191,7 @@ enum l3_proto_idx {
      L3_PROTO_RARP_IDX,
      L2_PROTO_MAC_IDX,
      L2_PROTO_VLAN_IDX,
+    L2_PROTO_STP_IDX,
      L3_PROTO_LAST_IDX
  };
  
@@ -206,6 +208,7 @@ static const struct ushort_map l3_protocols[] = {
      USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP   , "arp"),
      USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
      USHORTMAP_ENTRY_IDX(L2_PROTO_VLAN_IDX, ETHERTYPE_VLAN  , "vlan"),
+    USHORTMAP_ENTRY_IDX(L2_PROTO_STP_IDX,  0               , "stp"),
      USHORTMAP_ENTRY_IDX(L2_PROTO_MAC_IDX,  0               , "mac"),
      USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0               , NULL),
  };
@@ -306,6 +309,16 @@ _printDataType(virNWFilterVarCombIterPtr vars,
          }
      break;
  
+    case DATATYPE_UINT32:
+    case DATATYPE_UINT32_HEX:
+        if (snprintf(buf, bufsize, asHex ? "0x%x" : "%u",
+                     item->u.u32) >= bufsize) {
+            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                                   _("Buffer too small for uint32 type"));
+            return 1;
+        }
+    break;
+
      case DATATYPE_UINT16:
      case DATATYPE_UINT16_HEX:
          if (snprintf(buf, bufsize, asHex ? "0x%x" : "%d",
@@ -937,7 +950,8 @@ iptablesHandleIpHdr(virBufferPtr buf,
                      virBufferPtr prefix)
  {
      char ipaddr[INET6_ADDRSTRLEN],
-         number[20];
+         number[MAX(INT_BUFSIZE_BOUND(uint32_t),
+                    INT_BUFSIZE_BOUND(int))];
      const char *src = "--source";
      const char *dst = "--destination";
      const char *srcrange = "--src-range";
@@ -1218,7 +1232,8 @@ _iptablesCreateRuleInstance(int directionIn,
                              bool maySkipICMP)
  {
      char chain[MAX_CHAINNAME_LENGTH];
-    char number[20];
+    char number[MAX(INT_BUFSIZE_BOUND(uint32_t),
+                    INT_BUFSIZE_BOUND(int))];
      virBuffer prefix = VIR_BUFFER_INITIALIZER;
      virBuffer buf = VIR_BUFFER_INITIALIZER;
      virBuffer afterStateMatch = VIR_BUFFER_INITIALIZER;
@@ -1953,7 +1968,9 @@ ebtablesCreateRuleInstance(char chainPrefix,
      char macaddr[VIR_MAC_STRING_BUFLEN],
           ipaddr[INET_ADDRSTRLEN],
           ipv6addr[INET6_ADDRSTRLEN],
-         number[20];
+         number[MAX(INT_BUFSIZE_BOUND(uint32_t),
+                    INT_BUFSIZE_BOUND(int))],
+         field[MAX(VIR_MAC_STRING_BUFLEN, INET6_ADDRSTRLEN)];
      char chain[MAX_CHAINNAME_LENGTH];
      virBuffer buf = VIR_BUFFER_INITIALIZER;
      const char *target;
@@ -2019,19 +2036,91 @@ ebtablesCreateRuleInstance(char chainPrefix,
  #define INST_ITEM(STRUCT, ITEM, CLI) \
          if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
              if (printDataType(vars, \
-                              number, sizeof(number), \
+                              field, sizeof(field), \
+                              &rule->p.STRUCT.ITEM)) \
+                goto err_exit; \
+            virBufferAsprintf(&buf, \
+                          " " CLI " %s %s", \
+                          ENTRY_GET_NEG_SIGN(&rule->p.STRUCT.ITEM), \
+                          field); \
+        }
+
+#define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \
+        if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
+            if (printDataType(vars, \
+                              field, sizeof(field), \
                                &rule->p.STRUCT.ITEM)) \
                  goto err_exit; \
              virBufferAsprintf(&buf, \
                            " " CLI " %s %s", \
                            ENTRY_GET_NEG_SIGN(&rule->p.STRUCT.ITEM), \
-                          number); \
+                          field); \
+            if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \
+                if (printDataType(vars, \
+                                  field, sizeof(field), \
+                                  &rule->p.STRUCT.ITEM_HI)) \
+                    goto err_exit; \
+                virBufferAsprintf(&buf, SEP "%s", field); \
+            } \
          }
+#define INST_ITEM_RANGE(S, I, I_HI, C) \
+    INST_ITEM_2PARMS(S, I, I_HI, C, ":")
+#define INST_ITEM_MASK(S, I, MASK, C) \
+    INST_ITEM_2PARMS(S, I, MASK, C, "/")
  
          INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id")
          INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap")
      break;
  
+    case VIR_NWFILTER_RULE_PROTOCOL_STP:
+
+        /* cannot handle inout direction with srcmask set in reverse dir.
+           since this clashes with -d below... */
+        if (reverse &&
+            HAS_ENTRY_ITEM(&rule->p.stpHdrFilter.ethHdr.dataSrcMACAddr)) {
+            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
+                                   _("STP filtering in %s direction with "
+                                   "source MAC address set is not supported"),
+                                   virNWFilterRuleDirectionTypeToString(
+                                       VIR_NWFILTER_RULE_DIRECTION_INOUT));
+            return -1;
+        }
+
+        virBufferAsprintf(&buf,
+                          CMD_DEF_PRE "%s -t %s -%%c %s %%s",
+                          ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain);
+
+
+        if (ebtablesHandleEthHdr(&buf,
+                                 vars,
+                                 &rule->p.stpHdrFilter.ethHdr,
+                                 reverse))
+            goto err_exit;
+
+        virBufferAddLit(&buf, " -d " NWFILTER_MAC_BGA);
+
+        INST_ITEM(stpHdrFilter, dataType, "--stp-type")
+        INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags")
+        INST_ITEM_RANGE(stpHdrFilter, dataRootPri, dataRootPriHi,
+                        "--stp-root-pri");
+        INST_ITEM_MASK( stpHdrFilter, dataRootAddr, dataRootAddrMask,
+                       "--stp-root-addr");
+        INST_ITEM_RANGE(stpHdrFilter, dataRootCost, dataRootCostHi,
+                        "--stp-root-cost");
+        INST_ITEM_RANGE(stpHdrFilter, dataSndrPrio, dataSndrPrioHi,
+                        "--stp-sender-prio");
+        INST_ITEM_MASK( stpHdrFilter, dataSndrAddr, dataSndrAddrMask,
+                        "--stp-sender-addr");
+        INST_ITEM_RANGE(stpHdrFilter, dataPort, dataPortHi, "--stp-port");
+        INST_ITEM_RANGE(stpHdrFilter, dataAge, dataAgeHi, "--stp-msg-age");
+        INST_ITEM_RANGE(stpHdrFilter, dataMaxAge, dataMaxAgeHi,
+                        "--stp-max-age");
+        INST_ITEM_RANGE(stpHdrFilter, dataHelloTime, dataHelloTimeHi,
+                        "--stp-hello-time");
+        INST_ITEM_RANGE(stpHdrFilter, dataFwdDelay, dataFwdDelayHi,
+                        "--stp-forward-delay");
+    break;
+
      case VIR_NWFILTER_RULE_PROTOCOL_ARP:
      case VIR_NWFILTER_RULE_PROTOCOL_RARP:
  
@@ -2480,6 +2569,7 @@ ebiptablesCreateRuleInstance(virConnectPtr conn ATTRIBUTE_UNUSED,
      case VIR_NWFILTER_RULE_PROTOCOL_IP:
      case VIR_NWFILTER_RULE_PROTOCOL_MAC:
      case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
+    case VIR_NWFILTER_RULE_PROTOCOL_STP:
      case VIR_NWFILTER_RULE_PROTOCOL_ARP:
      case VIR_NWFILTER_RULE_PROTOCOL_RARP:
      case VIR_NWFILTER_RULE_PROTOCOL_NONE:
@@ -2818,6 +2908,9 @@ ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
      case L2_PROTO_MAC_IDX:
          protostr = strdup("");
          break;
+    case L2_PROTO_STP_IDX:
+        virAsprintf(&protostr, "-d " NWFILTER_MAC_BGA " ");
+        break;
      default:
          virAsprintf(&protostr, "-p 0x%04x ", l3_protocols[protoidx].attr);
          break;
author	Stefan Berger <stefanb@linux.vnet.ibm.com>
	Tue, 22 Nov 2011 20:12:03 +0000 (15:12 -0500)
committer	Stefan Berger <stefanb@us.ibm.com>
	Tue, 22 Nov 2011 20:12:03 +0000 (15:12 -0500)
docs/schemas/nwfilter.rng		patch \| blob \| blame \| history
src/conf/nwfilter_conf.c		patch \| blob \| blame \| history
src/conf/nwfilter_conf.h		patch \| blob \| blame \| history
src/libvirt_private.syms		patch \| blob \| blame \| history
src/nwfilter/nwfilter_ebiptables_driver.c		patch \| blob \| blame \| history