[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvir] A whole tonne of networking fixes / enhancements



I've been testing the networking support and found various bugs / missing
features that I thought we really need to have in the release - some of
them impact the XML so we have to get this right now.

 - Build up in memory linked-list of network devices & disk devices in
   same order as they are listed in XML. Currently they are built up
   in reversed order, which makes the XML not be idempotent, and also
   means that if you have multiple NICs, what you think is eth0 ends
   up being eth4 and what you think is eth4 is eth0. This patch fixes
   the ordering to match XML.

 - Set the 'vlan' attribute in command line args to QEMU. This ensures
   that separate network devices are in fact separated. Previously if
   you had multiple NICs, QEMU connected them all to the same VLAN so
   any traffic on one NIC got sent to all NICs. Most definitely not
   what you want in any usual scenario, and created a traffic storm
   from the resultant network loops !

 - Added support for networking of  type='bridge'. This gives parity
   with equivalent Xen networking, eg

      <interface type='bridge'>
        <source dev='xenbr0'/>
        <target dev='vnet3'/>
      </interface>

   Will create a tap device called vnet3 and bridge it into xenbr0

 - Added support for networking of type='ethernet'. This give parity
   with equivlent Xen networking, eg

     <interface type='ethernet'>
       <script path='/etc/qemu-ifup'/>
       <target dev='vnet5'/>
     </interface>

   Will create a tap device called vnet5 and run 'qemu-ifup' to setup
   its configuration. Think the various non-bridge Xen networking configs.

 - Added support for 'client', 'server', 'mcast' networking types. These
   are QEMU specific types, allowing unprivileged (or privileged) users
   to create virtual networks without TAP devices.

   eg two machines, one with

      <interface type='server'>
        <source address="127.0.0.1" port="5555"/>
      </interface>

   And the other with

      <interface type='client'>
        <source address="127.0.0.1" port="5555"/>
      </interface>

   Or both using multicast:

      <interface type='mcast'>
        <source address="230.0.0.1" port="5558"/>
      </interface>

   Both these options allow QEMU instancs on different physical machines
   to talk to each other. The multicast protocol is also compatible with
   the UserModeLinux multicast protocol.

 - Fix the 'type=network' config use the <target dev='vnet3'> element
   instead of a custom  tapifname=vnet3 attribute - this gives consistent
   way to name tap devices that - most importantly -  matches the 
   Xen XML format for specifying vifname, eg

       <interface type='network'>
         <source network='default'/>
         <target dev='vnet2'/>
       </interface>

   Will create a tapdevice called vnet2 and connect it to the bridge
   device associated with the network 'default'.

 - Removed references to 'vde' - we're not using this explicitly - at
   some time in the future, we'll perhaps use VDE for doing virtual
   networking for unprivileged users where bridge devices are not
   available

 - Removed references to 'tap' network type - this is basically handled
   by the 'ethernet' network type to give XML compatability with the
   same functionality in the Xen backend.

 - The virtual network configuration currently always adds whole bunch
   of IPTables rules to the FORWARD/POSTROUTING chain which allow traffic
   from the virtual network to be masqueraded out through any active
   physical interface.  This may be correct thing todo for the default
   network, but we also need the ability to create totally isolated
   networks (no forwarding at all), or directed networks (eg forwarding
   to an explicit physical device). 

   To deal with this scenario I introduce a new element in the network
   XML called '<forward>'. If this is not present, then no forwarding
   rules are added at all. If it is present, but with no attributes
   then a generic rule allowing forwarding to any interface is added.
   If it is present and the 'dev' attribute is specific then forwarding
   is only allowed to that named interface. The default network XML thus
   now includes

        <forward/>

   So that by default we have a virtual network connected to all physical
   devices.

 - MAC addreses were not be autogenerated inside libvirt_qemud. If you
   don't provide a MAC address, QEMU (insanely) uses a hardcoded default.
   So all NICs end up with an identical MAC. We now always autogenerate
   a MAC address if not explicitly listed in XML.


One final thing to be aware of - the Fedora Core 6 Xen kernel currently has
totally fubar TCP checksum offland. So if you try to bridge a Xen guest into
the libvirt virtual networking, it'll fail to get a DHCP address from dnsmasq.
Even if you fix that by turning off TX checksums in Dom0, you'll get checksum
failures for the actual TCP data transmission too. The only solution is to
either upgrade the Dom0 kernel to a RHEL-5 vintage, or to also turn off
checksumming in the guest. A new FC6 xen kernel is in the works which should
hopefully fix this for real.

With fixed kernel, I can easily setup virtual networks connecting both
Xen PV, Xen FV and QEMU instances together.

Anyway, the upshot of all this, is that we can now trivially create really
complicated & fun networking layouts across QEMU & Xen, using a mixture of
bridging, NAT, isolated LANs, and tunnelled VLANS :-)  We really ought to
document it a little though

Since Mark is off on vacation for a while, I'd appreciate people taking a
close look at this / actually giving it a try if you can.

It is possible to create a totally isolated network using

  <network>
    <name>private</name>
    <uuid>d237ce44-8efa-452c-b8e6-1ae9cf53aeb1</uuid>
    <bridge name="virbr0" />
    <ip address="192.168.122.1" netmask="255.255.255.0">
      <dhcp>
        <range start="192.168.122.2" end="192.168.122.254" />
      </dhcp>
    </ip>
  </network>

And a QEMU guest with 5 (yes, 5)  network cards

<domain type='qemu'>
  <name>QEMUFirewall</name>
  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
  <memory>219200</memory>
  <currentMemory>219200</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='i686' machine='pc'>hvm</type>
    <boot dev='hd'/>
  </os>
  <devices>
    <emulator>/usr/bin/qemu</emulator>
    <disk type='block' device='disk'>
      <source dev='/dev/HostVG/QEMUGuest1'/>
      <target dev='hda'/>
    </disk>
    <interface type='network'>
      <source network='private'/>
      <target dev='vnet1'/>
    </interface>
    <interface type='bridge'>
      <source dev='xenbr0'/>
      <target dev='vnet2'/>
    </interface>
    <interface type='ethernet'>
      <script path='/etc/dan-test-ifup'/>
      <target dev='vnet3'/>
    </interface>
    <interface type='server'>
      <source address="127.0.0.1" port="5555"/>
    </interface>
    <interface type='mcast'>
      <source address="230.0.0.1" port="5558"/>
    </interface>
    <graphics type='vnc' port='-1'/>
  </devices>
</domain>


In this XML, only eth1  is connected to the hosts public facing network.
The other NICs are all on various private networks. So this QEMU guest
is in essence a router/firewall box. eg, you could connected various
other guests to the 'private' virtual network, and the only way they
could reach the outside world is via this QEMU instance doing routing.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 
Index: qemud/bridge.c
===================================================================
RCS file: /data/cvs/libvirt/qemud/bridge.c,v
retrieving revision 1.4
diff -u -p -r1.4 bridge.c
--- qemud/bridge.c	20 Feb 2007 09:57:47 -0000	1.4
+++ qemud/bridge.c	13 Mar 2007 03:53:20 -0000
@@ -190,27 +190,22 @@ brDeleteInterface(brControl *ctl,
     return brAddDelInterface(ctl, SIOCBRDELIF, bridge, iface);
 }
 
+
 int
 brAddTap(brControl *ctl,
          const char *bridge,
-         const char *ifnameOrFmt,
          char *ifname,
          int maxlen,
          int *tapfd)
 {
     int id, subst, fd;
 
-    if (!ctl || !ctl->fd || !bridge || !ifnameOrFmt || !tapfd)
+    if (!ctl || !ctl->fd || !bridge || !ifname || !tapfd)
         return EINVAL;
 
-    if (!ifname)
-        maxlen = BR_IFNAME_MAXLEN;
-    else if (maxlen >= BR_IFNAME_MAXLEN)
-        maxlen = BR_IFNAME_MAXLEN;
-
     subst = id = 0;
 
-    if (strstr(ifnameOrFmt, "%d"))
+    if (strstr(ifname, "%d"))
         subst = 1;
 
     if ((fd = open("/dev/net/tun", O_RDWR)) < 0)
@@ -225,19 +220,19 @@ brAddTap(brControl *ctl,
         try.ifr_flags = IFF_TAP|IFF_NO_PI;
 
         if (subst) {
-            len = snprintf(try.ifr_name, maxlen, ifnameOrFmt, id);
+            len = snprintf(try.ifr_name, maxlen, ifname, id);
             if (len >= maxlen) {
                 errno = EADDRINUSE;
                 goto error;
             }
         } else {
-            len = strlen(ifnameOrFmt);
+            len = strlen(ifname);
             if (len >= maxlen - 1) {
                 errno = EINVAL;
                 goto error;
             }
 
-            strncpy(try.ifr_name, ifnameOrFmt, len);
+            strncpy(try.ifr_name, ifname, len);
             try.ifr_name[len] = '\0';
         }
 
Index: qemud/bridge.h
===================================================================
RCS file: /data/cvs/libvirt/qemud/bridge.h,v
retrieving revision 1.1
diff -u -p -r1.1 bridge.h
--- qemud/bridge.h	14 Feb 2007 16:02:40 -0000	1.1
+++ qemud/bridge.h	13 Mar 2007 03:53:20 -0000
@@ -49,7 +49,6 @@ int     brDeleteInterface       (brContr
 
 int     brAddTap                (brControl *ctl,
                                  const char *bridge,
-                                 const char *ifnameOrFmt,
                                  char *ifname,
                                  int maxlen,
                                  int *tapfd);
Index: qemud/conf.c
===================================================================
RCS file: /data/cvs/libvirt/qemud/conf.c,v
retrieving revision 1.40
diff -u -p -r1.40 conf.c
--- qemud/conf.c	9 Mar 2007 03:08:34 -0000	1.40
+++ qemud/conf.c	13 Mar 2007 03:53:22 -0000
@@ -444,6 +444,15 @@ static struct qemud_vm_disk_def *qemudPa
     return NULL;
 }
 
+static void qemudRandomMAC(struct qemud_vm_net_def *net) {
+    net->mac[0] = 0x52;
+    net->mac[1] = 0x54;
+    net->mac[2] = 0x00;
+    net->mac[3] = 1 + (int)(256*(rand()/(RAND_MAX+1.0)));
+    net->mac[4] = 1 + (int)(256*(rand()/(RAND_MAX+1.0)));
+    net->mac[5] = 1 + (int)(256*(rand()/(RAND_MAX+1.0)));
+}
+
 
 /* Parse the XML definition for a network interface */
 static struct qemud_vm_net_def *qemudParseInterfaceXML(struct qemud_server *server,
@@ -453,7 +462,11 @@ static struct qemud_vm_net_def *qemudPar
     xmlChar *macaddr = NULL;
     xmlChar *type = NULL;
     xmlChar *network = NULL;
-    xmlChar *tapifname = NULL;
+    xmlChar *bridge = NULL;
+    xmlChar *ifname = NULL;
+    xmlChar *script = NULL;
+    xmlChar *address = NULL;
+    xmlChar *port = NULL;
 
     if (!net) {
         qemudReportError(server, VIR_ERR_NO_MEMORY, "net");
@@ -466,8 +479,8 @@ static struct qemud_vm_net_def *qemudPar
     if (type != NULL) {
         if (xmlStrEqual(type, BAD_CAST "user"))
             net->type = QEMUD_NET_USER;
-        else if (xmlStrEqual(type, BAD_CAST "tap"))
-            net->type = QEMUD_NET_TAP;
+        else if (xmlStrEqual(type, BAD_CAST "ethernet"))
+            net->type = QEMUD_NET_ETHERNET;
         else if (xmlStrEqual(type, BAD_CAST "server"))
             net->type = QEMUD_NET_SERVER;
         else if (xmlStrEqual(type, BAD_CAST "client"))
@@ -476,10 +489,8 @@ static struct qemud_vm_net_def *qemudPar
             net->type = QEMUD_NET_MCAST;
         else if (xmlStrEqual(type, BAD_CAST "network"))
             net->type = QEMUD_NET_NETWORK;
-        /*
-        else if (xmlStrEqual(type, BAD_CAST "vde"))
-          typ = QEMUD_NET_VDE;
-        */
+        else if (xmlStrEqual(type, BAD_CAST "bridge"))
+            net->type = QEMUD_NET_BRIDGE;
         else
             net->type = QEMUD_NET_USER;
         xmlFree(type);
@@ -496,17 +507,32 @@ static struct qemud_vm_net_def *qemudPar
                        (net->type == QEMUD_NET_NETWORK) &&
                        (xmlStrEqual(cur->name, BAD_CAST "source"))) {
                 network = xmlGetProp(cur, BAD_CAST "network");
-            } else if ((tapifname == NULL) &&
-                       (net->type == QEMUD_NET_NETWORK) &&
-                       xmlStrEqual(cur->name, BAD_CAST "tap")) {
-                tapifname = xmlGetProp(cur, BAD_CAST "ifname");
+            } else if ((network == NULL) &&
+                       (net->type == QEMUD_NET_BRIDGE) &&
+                       (xmlStrEqual(cur->name, BAD_CAST "source"))) {
+                bridge = xmlGetProp(cur, BAD_CAST "dev");
+            } else if ((network == NULL) &&
+                       ((net->type == QEMUD_NET_SERVER) ||
+                        (net->type == QEMUD_NET_CLIENT) ||
+                        (net->type == QEMUD_NET_MCAST)) &&
+                       (xmlStrEqual(cur->name, BAD_CAST "source"))) {
+                address = xmlGetProp(cur, BAD_CAST "address");
+                port = xmlGetProp(cur, BAD_CAST "port");
+            } else if ((ifname == NULL) &&
+                       ((net->type == QEMUD_NET_NETWORK) ||
+                        (net->type == QEMUD_NET_ETHERNET) ||
+                        (net->type == QEMUD_NET_BRIDGE)) &&
+                       xmlStrEqual(cur->name, BAD_CAST "target")) {
+                ifname = xmlGetProp(cur, BAD_CAST "dev");
+            } else if ((script == NULL) &&
+                       (net->type == QEMUD_NET_ETHERNET) &&
+                       xmlStrEqual(cur->name, BAD_CAST "script")) {
+                script = xmlGetProp(cur, BAD_CAST "path");
             }
         }
         cur = cur->next;
     }
 
-    net->vlan = 0;
-
     if (macaddr) {
         unsigned int mac[6];
         sscanf((const char *)macaddr, "%02x:%02x:%02x:%02x:%02x:%02x",
@@ -524,6 +550,9 @@ static struct qemud_vm_net_def *qemudPar
         net->mac[5] = mac[5];
 
         xmlFree(macaddr);
+        macaddr = NULL;
+    } else {
+        qemudRandomMAC(net);
     }
 
     if (net->type == QEMUD_NET_NETWORK) {
@@ -533,7 +562,7 @@ static struct qemud_vm_net_def *qemudPar
             qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                              "No <source> 'network' attribute specified with <interface type='network'/>");
             goto error;
-        } else if ((len = xmlStrlen(network)) >= QEMUD_MAX_NAME_LEN) {
+        } else if ((len = xmlStrlen(network)) >= (QEMUD_MAX_NAME_LEN-1)) {
             qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                              "Network name '%s' too long", network);
             goto error;
@@ -542,20 +571,118 @@ static struct qemud_vm_net_def *qemudPar
             net->dst.network.name[len] = '\0';
         }
 
-        if (network)
+        if (network) {
             xmlFree(network);
+            network = NULL;
+        }
+
+        if (ifname != NULL) {
+            if ((len = xmlStrlen(ifname)) >= (BR_IFNAME_MAXLEN-1)) {
+                qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                                 "TAP interface name '%s' is too long", ifname);
+                goto error;
+            } else {
+                strncpy(net->dst.network.ifname, (char *)ifname, len);
+                net->dst.network.ifname[len] = '\0';
+            }
+            xmlFree(ifname);
+            ifname = NULL;
+        }
+    } else if (net->type == QEMUD_NET_ETHERNET) {
+        int len;
 
-        if (tapifname != NULL) {
-            if ((len == xmlStrlen(tapifname)) >= BR_IFNAME_MAXLEN) {
+        if (script != NULL) {
+            if ((len = xmlStrlen(script)) >= (PATH_MAX-1)) {
+                qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                                 "TAP script path '%s' is too long", script);
+                goto error;
+            } else {
+                strncpy(net->dst.ethernet.script, (char *)script, len);
+                net->dst.ethernet.script[len] = '\0';
+            }
+            xmlFree(script);
+            script = NULL;
+        }
+        if (ifname != NULL) {
+            if ((len = xmlStrlen(ifname)) >= (BR_IFNAME_MAXLEN-1)) {
                 qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                                 "TAP interface name '%s' is too long", tapifname);
+                                 "TAP interface name '%s' is too long", ifname);
                 goto error;
             } else {
-                strncpy(net->dst.network.tapifname, (char *)tapifname, len);
-                net->dst.network.tapifname[len] = '\0';
+                strncpy(net->dst.ethernet.ifname, (char *)ifname, len);
+                net->dst.ethernet.ifname[len] = '\0';
             }
-            xmlFree(tapifname);
+            xmlFree(ifname);
+        }
+    } else if (net->type == QEMUD_NET_BRIDGE) {
+        int len;
+
+        if (bridge == NULL) {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "No <source> 'dev' attribute specified with <interface type='bridge'/>");
+            goto error;
+        } else if ((len = xmlStrlen(bridge)) >= (BR_IFNAME_MAXLEN-1)) {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "TAP bridge path '%s' is too long", bridge);
+            goto error;
+        } else {
+            strncpy(net->dst.bridge.brname, (char *)bridge, len);
+            net->dst.bridge.brname[len] = '\0';
         }
+
+        xmlFree(bridge);
+        bridge = NULL;
+
+        if (ifname != NULL) {
+            if ((len = xmlStrlen(ifname)) >= (BR_IFNAME_MAXLEN-1)) {
+                qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                                 "TAP interface name '%s' is too long", ifname);
+                goto error;
+            } else {
+                strncpy(net->dst.bridge.ifname, (char *)ifname, len);
+                net->dst.bridge.ifname[len] = '\0';
+            }
+            xmlFree(ifname);
+        }
+    } else if (net->type == QEMUD_NET_CLIENT ||
+               net->type == QEMUD_NET_SERVER ||
+               net->type == QEMUD_NET_MCAST) {
+        int len;
+        char *ret;
+
+        if (port == NULL) {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "No <source> 'port' attribute specified with socket interface");
+            goto error;
+        }
+        if (!(net->dst.socket.port = strtol((char*)port, &ret, 10)) &&
+            ret == (char*)port) {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "Cannot parse <source> 'port' attribute with socket interface");
+            goto error;
+        }
+        xmlFree(port);
+        port = NULL;
+
+        if (address == NULL) {
+            if (net->type == QEMUD_NET_CLIENT ||
+                net->type == QEMUD_NET_MCAST) {
+                qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                                 "No <source> 'address' attribute specified with socket interface");
+                goto error;
+            }
+        } else if ((len = xmlStrlen(address)) >= (BR_INET_ADDR_MAXLEN)) {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "IP address '%s' is too long", address);
+            goto error;
+        }
+        if (address == NULL) {
+            net->dst.socket.address[0] = '\0';
+        } else {
+            strncpy(net->dst.socket.address, (char*)address,len);
+            net->dst.socket.address[len] = '\0';
+        }
+        xmlFree(address);
     }
 
     return net;
@@ -563,8 +690,16 @@ static struct qemud_vm_net_def *qemudPar
  error:
     if (network)
         xmlFree(network);
-    if (tapifname)
-        xmlFree(tapifname);
+    if (address)
+        xmlFree(address);
+    if (port)
+        xmlFree(port);
+    if (ifname)
+        xmlFree(ifname);
+    if (script)
+        xmlFree(script);
+    if (bridge)
+        xmlFree(bridge);
     free(net);
     return NULL;
 }
@@ -886,14 +1021,20 @@ static struct qemud_vm_def *qemudParseXM
     obj = xmlXPathEval(BAD_CAST "/domain/devices/disk", ctxt);
     if ((obj != NULL) && (obj->type == XPATH_NODESET) &&
         (obj->nodesetval != NULL) && (obj->nodesetval->nodeNr >= 0)) {
+        struct qemud_vm_disk_def *prev = NULL;
         for (i = 0; i < obj->nodesetval->nodeNr; i++) {
             struct qemud_vm_disk_def *disk;
             if (!(disk = qemudParseDiskXML(server, obj->nodesetval->nodeTab[i]))) {
                 goto error;
             }
             def->ndisks++;
-            disk->next = def->disks;
-            def->disks = disk;
+            disk->next = NULL;
+            if (i == 0) {
+                def->disks = disk;
+            } else {
+                prev->next = disk;
+            }
+            prev = disk;
         }
     }
     xmlXPathFreeObject(obj);
@@ -903,14 +1044,20 @@ static struct qemud_vm_def *qemudParseXM
     obj = xmlXPathEval(BAD_CAST "/domain/devices/interface", ctxt);
     if ((obj != NULL) && (obj->type == XPATH_NODESET) &&
         (obj->nodesetval != NULL) && (obj->nodesetval->nodeNr >= 0)) {
+        struct qemud_vm_net_def *prev = NULL;
         for (i = 0; i < obj->nodesetval->nodeNr; i++) {
             struct qemud_vm_net_def *net;
             if (!(net = qemudParseInterfaceXML(server, obj->nodesetval->nodeTab[i]))) {
                 goto error;
             }
             def->nnets++;
-            net->next = def->nets;
-            def->nets = net;
+            net->next = NULL;
+            if (i == 0) {
+                def->nets = net;
+            } else {
+                prev->next = net;
+            }
+            prev = net;
         }
     }
     xmlXPathFreeObject(obj);
@@ -933,49 +1080,65 @@ static struct qemud_vm_def *qemudParseXM
 static char *
 qemudNetworkIfaceConnect(struct qemud_server *server,
                          struct qemud_vm *vm,
-                         struct qemud_vm_net_def *net)
+                         struct qemud_vm_net_def *net,
+                         int vlan)
 {
-    struct qemud_network *network;
-    const char *tapifname;
+    struct qemud_network *network = NULL;
+    char *brname;
+    char *ifname;
     char tapfdstr[4+3+32+7];
     char *retval = NULL;
     int err;
     int tapfd = -1;
     int *tapfds;
 
-    if (!(network = qemudFindNetworkByName(server, net->dst.network.name))) {
-        qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "Network '%s' not found", net->dst.network.name);
-        goto error;
-    } else if (network->bridge[0] == '\0') {
+    if (net->type == QEMUD_NET_NETWORK) {
+        if (!(network = qemudFindNetworkByName(server, net->dst.network.name))) {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "Network '%s' not found", net->dst.network.name);
+            goto error;
+        } else if (network->bridge[0] == '\0') {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "Network '%s' not active", net->dst.network.name);
+            goto error;
+        }
+        brname = network->bridge;
+        if (net->dst.network.ifname[0] == '\0' ||
+            strchr(net->dst.network.ifname, '%')) {
+            strcpy(net->dst.network.ifname, "vnet%d");
+        }
+        ifname = net->dst.network.ifname;
+    } else if (net->type == QEMUD_NET_BRIDGE) {
+        brname = net->dst.bridge.brname;
+        if (net->dst.bridge.ifname[0] == '\0' ||
+            strchr(net->dst.bridge.ifname, '%')) {
+            strcpy(net->dst.bridge.ifname, "vnet%d");
+        }
+        ifname = net->dst.bridge.ifname;
+    } else {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "Network '%s' not active", net->dst.network.name);
+                         "Network type %d is not supported", net->type);
         goto error;
     }
 
-    if (net->dst.network.tapifname[0] == '\0' ||
-        strchr(net->dst.network.tapifname, '%')) {
-        tapifname = "vnet%d";
-    } else {
-        tapifname = net->dst.network.tapifname;
-    }
-
-    if ((err = brAddTap(server->brctl, network->bridge, tapifname,
-                        &net->dst.network.tapifname[0], BR_IFNAME_MAXLEN, &tapfd))) {
+    if ((err = brAddTap(server->brctl, brname,
+                        ifname, BR_IFNAME_MAXLEN, &tapfd))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                          "Failed to add tap interface '%s' to bridge '%s' : %s",
-                         tapifname, network->bridge, strerror(err));
+                         ifname, brname, strerror(err));
         goto error;
     }
 
-    if ((err = iptablesAddPhysdevForward(server->iptables, net->dst.network.tapifname))) {
-        qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "Failed to add iptables rule to allow bridging from '%s' :%s",
-                         net->dst.network.tapifname, strerror(err));
-        goto error;
+    if (net->type == QEMUD_NET_NETWORK && network->def->forward) {
+        if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) {
+            qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                             "Failed to add iptables rule to allow bridging from '%s' :%s",
+                             ifname, strerror(err));
+            goto error;
+        }
     }
 
-    snprintf(tapfdstr, sizeof(tapfdstr), "tap,fd=%d,script=", tapfd);
+    snprintf(tapfdstr, sizeof(tapfdstr), "tap,fd=%d,script=,vlan=%d", tapfd, vlan);
 
     if (!(retval = strdup(tapfdstr)))
         goto no_memory;
@@ -990,7 +1153,8 @@ qemudNetworkIfaceConnect(struct qemud_se
     return retval;
 
  no_memory:
-    iptablesRemovePhysdevForward(server->iptables, net->dst.network.tapifname);
+    if (net->type == QEMUD_NET_NETWORK && network->def->forward)
+        iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev);
     qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds");
  error:
     if (retval)
@@ -1137,36 +1301,88 @@ int qemudBuildCommandLine(struct qemud_s
         if (!((*argv)[++n] = strdup("none")))
             goto no_memory;
     } else {
+        int vlan = 0;
         while (net) {
             char nic[3+1+7+1+17+1];
 
-            if (!net->mac[0] && !net->mac[1] && !net->mac[2] &&
-                !net->mac[3] && !net->mac[4] && !net->mac[5]) {
-                strncpy(nic, "nic", 4);
-            } else {
-                sprintf(nic, "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x",
-                        net->mac[0], net->mac[1],
-                        net->mac[2], net->mac[3],
-                        net->mac[4], net->mac[5]);
-            }
+            sprintf(nic, "nic,macaddr=%02x:%02x:%02x:%02x:%02x:%02x,vlan=%d",
+                    net->mac[0], net->mac[1],
+                    net->mac[2], net->mac[3],
+                    net->mac[4], net->mac[5],
+                    vlan);
 
             if (!((*argv)[++n] = strdup("-net")))
                 goto no_memory;
             if (!((*argv)[++n] = strdup(nic)))
                 goto no_memory;
+
             if (!((*argv)[++n] = strdup("-net")))
                 goto no_memory;
 
-            if (net->type != QEMUD_NET_NETWORK) {
-                /* XXX don't hardcode user */
-                if (!((*argv)[++n] = strdup("user")))
-                    goto no_memory;
-            } else {
-                if (!((*argv)[++n] = qemudNetworkIfaceConnect(server, vm, net)))
+            switch (net->type) {
+            case QEMUD_NET_NETWORK:
+            case QEMUD_NET_BRIDGE:
+                if (!((*argv)[++n] = qemudNetworkIfaceConnect(server, vm, net, vlan)))
                     goto error;
+                break;
+
+            case QEMUD_NET_ETHERNET:
+                {
+                    char arg[PATH_MAX];
+                    if (snprintf(arg, PATH_MAX-1, "tap,ifname=%s,script=%s,vlan=%d",
+                                 net->dst.ethernet.ifname,
+                                 net->dst.ethernet.script,
+                                 vlan) >= (PATH_MAX-1))
+                        goto error;
+
+                    if (!((*argv)[++n] = strdup(arg)))
+                        goto no_memory;
+                }
+                break;
+
+            case QEMUD_NET_CLIENT:
+            case QEMUD_NET_SERVER:
+            case QEMUD_NET_MCAST:
+                {
+                    char arg[PATH_MAX];
+                    const char *mode = NULL;
+                    switch (net->type) {
+                    case QEMUD_NET_CLIENT:
+                        mode = "connect";
+                        break;
+                    case QEMUD_NET_SERVER:
+                        mode = "listen";
+                        break;
+                    case QEMUD_NET_MCAST:
+                        mode = "mcast";
+                        break;
+                    }
+                    if (snprintf(arg, PATH_MAX-1, "socket,%s=%s:%d,vlan=%d",
+                                 mode,
+                                 net->dst.socket.address,
+                                 net->dst.socket.port,
+                                 vlan) >= (PATH_MAX-1))
+                        goto error;
+
+                    if (!((*argv)[++n] = strdup(arg)))
+                        goto no_memory;
+                }
+                break;
+
+            case QEMUD_NET_USER:
+            default:
+                {
+                    char arg[PATH_MAX];
+                    if (snprintf(arg, PATH_MAX-1, "user,vlan=%d", vlan) >= (PATH_MAX-1))
+                        goto error;
+
+                    if (!((*argv)[++n] = strdup(arg)))
+                        goto no_memory;
+                }
             }
 
             net = net->next;
+            vlan++;
         }
     }
 
@@ -1567,7 +1783,7 @@ static struct qemud_network_def *qemudPa
                                                       xmlDocPtr xml) {
     xmlNodePtr root = NULL;
     xmlXPathContextPtr ctxt = NULL;
-    xmlXPathObjectPtr obj = NULL;
+    xmlXPathObjectPtr obj = NULL, tmp = NULL;
     struct qemud_network_def *def;
 
     if (!(def = calloc(1, sizeof(struct qemud_network_def)))) {
@@ -1620,6 +1836,31 @@ static struct qemud_network_def *qemudPa
     }
     xmlXPathFreeObject(obj);
 
+    obj = xmlXPathEval(BAD_CAST "count(/network/forward) > 0", ctxt);
+    if ((obj != NULL) && (obj->type == XPATH_BOOLEAN) &&
+        obj->boolval) {
+        def->forward = 1;
+        tmp = xmlXPathEval(BAD_CAST "string(/network/forward[1]/@dev)", ctxt);
+        if ((tmp != NULL) && (tmp->type == XPATH_STRING) &&
+            (tmp->stringval != NULL) && (tmp->stringval[0] != 0)) {
+            int len;
+            if ((len = xmlStrlen(tmp->stringval)) >= (BR_IFNAME_MAXLEN-1)) {
+                qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
+                                 "forward device name '%s' is too long",
+                                 (char*)tmp->stringval);
+                goto error;
+            }
+            strcpy(def->forwardDev, (char*)tmp->stringval);
+        } else {
+            def->forwardDev[0] = '\0';
+        }
+        xmlXPathFreeObject(tmp);
+        tmp = NULL;
+    } else {
+        def->forward = 0;
+    }
+    xmlXPathFreeObject(obj);
+
     /* Parse bridge information */
     obj = xmlXPathEval(BAD_CAST "/network/bridge[1]", ctxt);
     if ((obj != NULL) && (obj->type == XPATH_NODESET) &&
@@ -1649,6 +1890,8 @@ static struct qemud_network_def *qemudPa
        the caller ? */
     if (obj)
         xmlXPathFreeObject(obj);
+    if (tmp)
+        xmlXPathFreeObject(tmp);
     if (ctxt)
         xmlXPathFreeContext(ctxt);
     qemudFreeNetworkDef(def);
@@ -2320,34 +2563,65 @@ char *qemudGenerateXML(struct qemud_serv
     while (net) {
         const char *types[] = {
             "user",
-            "tap",
+            "ethernet",
             "server",
             "client",
             "mcast",
             "network",
-            "vde",
+            "bridge",
         };
         if (qemudBufferPrintf(&buf, "    <interface type='%s'>\n",
                               types[net->type]) < 0)
             goto no_memory;
 
-        if (net->mac[0] && net->mac[1] && net->mac[2] &&
-            net->mac[3] && net->mac[4] && net->mac[5] &&
-            qemudBufferPrintf(&buf, "      <mac address='%02x:%02x:%02x:%02x:%02x:%02x'/>\n",
+        if (qemudBufferPrintf(&buf, "      <mac address='%02x:%02x:%02x:%02x:%02x:%02x'/>\n",
                               net->mac[0], net->mac[1], net->mac[2],
                               net->mac[3], net->mac[4], net->mac[5]) < 0)
             goto no_memory;
 
-        if (net->type == QEMUD_NET_NETWORK) {
-            if (qemudBufferPrintf(&buf, "      <source network='%s'", net->dst.network.name) < 0)
+        switch (net->type) {
+        case QEMUD_NET_NETWORK:
+            if (qemudBufferPrintf(&buf, "      <source network='%s'/>\n", net->dst.network.name) < 0)
                 goto no_memory;
 
-            if (net->dst.network.tapifname[0] != '\0' &&
-                qemudBufferPrintf(&buf, " tapifname='%s'", net->dst.network.tapifname) < 0)
-                goto no_memory;
+            if (net->dst.network.ifname[0] != '\0') {
+                if (qemudBufferPrintf(&buf, "      <target dev='%s'/>\n", net->dst.network.ifname) < 0)
+                    goto no_memory;
+            }
+            break;
 
-            if (qemudBufferPrintf(&buf, "/>\n") < 0)
+        case QEMUD_NET_ETHERNET:
+            if (net->dst.ethernet.ifname[0] != '\0') {
+                if (qemudBufferPrintf(&buf, "      <target dev='%s'/>\n", net->dst.ethernet.ifname) < 0)
+                    goto no_memory;
+            }
+            if (net->dst.ethernet.script[0] != '\0') {
+                if (qemudBufferPrintf(&buf, "      <script path='%s'/>\n", net->dst.ethernet.script) < 0)
+                    goto no_memory;
+            }
+            break;
+
+        case QEMUD_NET_BRIDGE:
+            if (qemudBufferPrintf(&buf, "      <source dev='%s'/>\n", net->dst.bridge.brname) < 0)
                 goto no_memory;
+            if (net->dst.bridge.ifname[0] != '\0') {
+                if (qemudBufferPrintf(&buf, "      <target dev='%s'/>\n", net->dst.bridge.ifname) < 0)
+                    goto no_memory;
+            }
+            break;
+
+        case QEMUD_NET_SERVER:
+        case QEMUD_NET_CLIENT:
+        case QEMUD_NET_MCAST:
+            if (net->dst.socket.address[0] != '\0') {
+                if (qemudBufferPrintf(&buf, "      <source address='%s' port='%d'/>\n",
+                                      net->dst.socket.address, net->dst.socket.port) < 0)
+                    goto no_memory;
+            } else {
+                if (qemudBufferPrintf(&buf, "      <source port='%d'/>\n",
+                                      net->dst.socket.port) < 0)
+                    goto no_memory;
+            }
         }
 
         if (qemudBufferPrintf(&buf, "    </interface>\n") < 0)
@@ -2428,6 +2702,15 @@ char *qemudGenerateNetworkXML(struct qem
                           uuid[12], uuid[13], uuid[14], uuid[15]) < 0)
         goto no_memory;
 
+    if (def->forward) {
+        if (def->forwardDev[0]) {
+            qemudBufferPrintf(&buf, "  <forward dev='%s'/>\n",
+                              def->forwardDev);
+        } else {
+            qemudBufferAdd(&buf, "  <forward/>\n");
+        }
+    }
+
     if ((def->bridge != '\0' || def->disableSTP || def->forwardDelay) &&
         qemudBufferPrintf(&buf, "  <bridge name='%s' stp='%s' delay='%d' />\n",
                           def->bridge,
Index: qemud/default-network.xml
===================================================================
RCS file: /data/cvs/libvirt/qemud/default-network.xml,v
retrieving revision 1.1
diff -u -p -r1.1 default-network.xml
--- qemud/default-network.xml	7 Mar 2007 11:54:29 -0000	1.1
+++ qemud/default-network.xml	13 Mar 2007 03:53:22 -0000
@@ -1,6 +1,7 @@
 <network>
   <name>default</name>
   <bridge name="virbr0" />
+  <forward/>
   <ip address="192.168.122.1" netmask="255.255.255.0">
     <dhcp>
       <range start="192.168.122.2" end="192.168.122.254" />
Index: qemud/internal.h
===================================================================
RCS file: /data/cvs/libvirt/qemud/internal.h,v
retrieving revision 1.18
diff -u -p -r1.18 internal.h
--- qemud/internal.h	5 Mar 2007 17:15:20 -0000	1.18
+++ qemud/internal.h	13 Mar 2007 03:53:22 -0000
@@ -103,43 +103,35 @@ struct qemud_vm_disk_def {
 /* 5 different types of networking config */
 enum qemud_vm_net_type {
     QEMUD_NET_USER,
-    QEMUD_NET_TAP,
+    QEMUD_NET_ETHERNET,
     QEMUD_NET_SERVER,
     QEMUD_NET_CLIENT,
     QEMUD_NET_MCAST,
     QEMUD_NET_NETWORK,
-    /*  QEMUD_NET_VDE*/
+    QEMUD_NET_BRIDGE,
 };
 
 /* Stores the virtual network interface configuration */
 struct qemud_vm_net_def {
     int type;
-    int vlan;
     unsigned char mac[QEMUD_MAC_ADDRESS_LEN];
     union {
         struct {
-            char ifname[NAME_MAX];
+            char ifname[BR_IFNAME_MAXLEN];
             char script[PATH_MAX];
-        } tap;
+        } ethernet;
         struct {
-            struct sockaddr_in listen;
+            char address[BR_INET_ADDR_MAXLEN];
             int port;
-        } server;
-        struct {
-            struct sockaddr_in connect;
-            int port;
-        } client;
-        struct {
-            struct sockaddr_in group;
-            int port;
-        } mcast;
-        struct {
-            char vlan[PATH_MAX];
-        } vde;
+        } socket; /* any of NET_CLIENT or NET_SERVER or NET_MCAST */
         struct {
             char name[QEMUD_MAX_NAME_LEN];
-            char tapifname[BR_IFNAME_MAXLEN];
+            char ifname[BR_IFNAME_MAXLEN];
         } network;
+        struct {
+            char brname[BR_IFNAME_MAXLEN];
+            char ifname[BR_IFNAME_MAXLEN];
+        } bridge;
     } dst;
 
     struct qemud_vm_net_def *next;
@@ -249,6 +241,9 @@ struct qemud_network_def {
     int disableSTP;
     int forwardDelay;
 
+    int forward;
+    char forwardDev[BR_IFNAME_MAXLEN];
+
     char ipAddress[BR_INET_ADDR_MAXLEN];
     char netmask[BR_INET_ADDR_MAXLEN];
 
Index: qemud/iptables.c
===================================================================
RCS file: /data/cvs/libvirt/qemud/iptables.c,v
retrieving revision 1.3
diff -u -p -r1.3 iptables.c
--- qemud/iptables.c	20 Feb 2007 17:51:41 -0000	1.3
+++ qemud/iptables.c	13 Mar 2007 03:53:22 -0000
@@ -532,20 +532,17 @@ iptablesInput(iptablesContext *ctx,
               int tcp)
 {
     char portstr[32];
-    int ret;
 
     snprintf(portstr, sizeof(portstr), "%d", port);
     portstr[sizeof(portstr) - 1] = '\0';
 
-    ret = iptablesAddRemoveRule(ctx->input_filter,
-                                action,
-                                "--in-interface", iface,
-                                "--protocol", tcp ? "tcp" : "udp",
-                                "--destination-port", portstr,
-                                "--jump", "ACCEPT",
-                                NULL);
-
-    return ret;
+    return iptablesAddRemoveRule(ctx->input_filter,
+                                 action,
+                                 "--in-interface", iface,
+                                 "--protocol", tcp ? "tcp" : "udp",
+                                 "--destination-port", portstr,
+                                 "--jump", "ACCEPT",
+                                 NULL);
 }
 
 int
@@ -583,106 +580,158 @@ iptablesRemoveUdpInput(iptablesContext *
 static int
 iptablesPhysdevForward(iptablesContext *ctx,
                        const char *iface,
+                       const char *target,
                        int action)
 {
-    return iptablesAddRemoveRule(ctx->forward_filter,
-                                 action,
-                                 "--match", "physdev",
-                                 "--physdev-in", iface,
-                                 "--jump", "ACCEPT",
-                                 NULL);
+    if (target && target[0]) {
+        return iptablesAddRemoveRule(ctx->forward_filter,
+                                     action,
+                                     "--match", "physdev",
+                                     "--physdev-in", iface,
+                                     "--out", target,
+                                     "--jump", "ACCEPT",
+                                     NULL);
+    } else {
+        return iptablesAddRemoveRule(ctx->forward_filter,
+                                     action,
+                                     "--match", "physdev",
+                                     "--physdev-in", iface,
+                                     "--jump", "ACCEPT",
+                                     NULL);
+    }
 }
 
 int
 iptablesAddPhysdevForward(iptablesContext *ctx,
-                          const char *iface)
+                          const char *iface,
+                          const char *target)
 {
-    return iptablesPhysdevForward(ctx, iface, ADD);
+    return iptablesPhysdevForward(ctx, iface, target, ADD);
 }
 
 int
 iptablesRemovePhysdevForward(iptablesContext *ctx,
-                             const char *iface)
+                             const char *iface,
+                             const char *target)
 {
-    return iptablesPhysdevForward(ctx, iface, REMOVE);
+    return iptablesPhysdevForward(ctx, iface, target, REMOVE);
 }
 
 static int
 iptablesInterfaceForward(iptablesContext *ctx,
                          const char *iface,
+                         const char *target,
                          int action)
 {
-    return iptablesAddRemoveRule(ctx->forward_filter,
-                                 action,
-                                 "--in-interface", iface,
-                                 "--jump", "ACCEPT",
-                                 NULL);
+    if (target && target[0]) {
+        return iptablesAddRemoveRule(ctx->forward_filter,
+                                     action,
+                                     "--in-interface", iface,
+                                     "--out-interface", target,
+                                     "--jump", "ACCEPT",
+                                     NULL);
+    } else {
+        return iptablesAddRemoveRule(ctx->forward_filter,
+                                     action,
+                                     "--in-interface", iface,
+                                     "--jump", "ACCEPT",
+                                     NULL);
+    }
 }
 
 int
 iptablesAddInterfaceForward(iptablesContext *ctx,
-                            const char *iface)
+                            const char *iface,
+                            const char *target)
 {
-    return iptablesInterfaceForward(ctx, iface, ADD);
+    return iptablesInterfaceForward(ctx, iface, target, ADD);
 }
 
 int
 iptablesRemoveInterfaceForward(iptablesContext *ctx,
-                               const char *iface)
+                               const char *iface,
+                               const char *target)
 {
-    return iptablesInterfaceForward(ctx, iface, REMOVE);
+    return iptablesInterfaceForward(ctx, iface, target, REMOVE);
 }
 
 static int
 iptablesStateForward(iptablesContext *ctx,
                      const char *iface,
+                     const char *target,
                      int action)
 {
-    return iptablesAddRemoveRule(ctx->forward_filter,
-                                 action,
-                                 "--out-interface", iface,
-                                 "--match", "state",
-                                 "--state", "ESTABLISHED,RELATED",
-                                 "--jump", "ACCEPT",
-                                 NULL);
+    if (target && target[0]) {
+        return iptablesAddRemoveRule(ctx->forward_filter,
+                                     action,
+                                     "--in-interface", target,
+                                     "--out-interface", iface,
+                                     "--match", "state",
+                                     "--state", "ESTABLISHED,RELATED",
+                                     "--jump", "ACCEPT",
+                                     NULL);
+    } else {
+        return iptablesAddRemoveRule(ctx->forward_filter,
+                                     action,
+                                     "--out-interface", iface,
+                                     "--match", "state",
+                                     "--state", "ESTABLISHED,RELATED",
+                                     "--jump", "ACCEPT",
+                                     NULL);
+    }
 }
 
 int
 iptablesAddStateForward(iptablesContext *ctx,
-                        const char *iface)
+                        const char *iface,
+                        const char *target)
 {
-    return iptablesStateForward(ctx, iface, ADD);
+    return iptablesStateForward(ctx, iface, target, ADD);
 }
 
 int
 iptablesRemoveStateForward(iptablesContext *ctx,
-                           const char *iface)
+                           const char *iface,
+                           const char *target)
 {
-    return iptablesStateForward(ctx, iface, REMOVE);
+    return iptablesStateForward(ctx, iface, target, REMOVE);
 }
 
 static int
 iptablesNonBridgedMasq(iptablesContext *ctx,
+                       const char *target,
                        int action)
 {
-    return iptablesAddRemoveRule(ctx->nat_postrouting,
-                                 action,
-                                 "--match", "physdev",
-                                 "!", "--physdev-is-bridged",
-                                 "--jump", "MASQUERADE",
-                                 NULL);
+    if (target && target[0]) {
+        return iptablesAddRemoveRule(ctx->nat_postrouting,
+                                     action,
+                                     "--out-interface", target,
+                                     "--match", "physdev",
+                                     "!", "--physdev-is-bridged",
+                                     "--jump", "MASQUERADE",
+                                     NULL);
+    } else {
+        return iptablesAddRemoveRule(ctx->nat_postrouting,
+                                     action,
+                                     "--match", "physdev",
+                                     "!", "--physdev-is-bridged",
+                                     "--jump", "MASQUERADE",
+                                     NULL);
+    }
 }
 
 int
-iptablesAddNonBridgedMasq(iptablesContext *ctx)
+iptablesAddNonBridgedMasq(iptablesContext *ctx,
+                          const char *target)
 {
-    return iptablesNonBridgedMasq(ctx, ADD);
+    return iptablesNonBridgedMasq(ctx, target, ADD);
 }
 
 int
-iptablesRemoveNonBridgedMasq(iptablesContext *ctx)
+iptablesRemoveNonBridgedMasq(iptablesContext *ctx,
+                             const char *target)
 {
-    return iptablesNonBridgedMasq(ctx, REMOVE);
+    return iptablesNonBridgedMasq(ctx, target, REMOVE);
 }
 
 /*
Index: qemud/iptables.h
===================================================================
RCS file: /data/cvs/libvirt/qemud/iptables.h,v
retrieving revision 1.1
diff -u -p -r1.1 iptables.h
--- qemud/iptables.h	14 Feb 2007 16:26:42 -0000	1.1
+++ qemud/iptables.h	13 Mar 2007 03:53:22 -0000
@@ -42,22 +42,30 @@ int              iptablesRemoveUdpInput 
                                                   int port);
 
 int              iptablesAddPhysdevForward       (iptablesContext *ctx,
-                                                  const char *iface);
+                                                  const char *iface,
+                                                  const char *target);
 int              iptablesRemovePhysdevForward    (iptablesContext *ctx,
-                                                  const char *iface);
+                                                  const char *iface,
+                                                  const char *target);
 
 int              iptablesAddInterfaceForward     (iptablesContext *ctx,
-                                                  const char *iface);
+                                                  const char *iface,
+                                                  const char *target);
 int              iptablesRemoveInterfaceForward  (iptablesContext *ctx,
-                                                  const char *iface);
+                                                  const char *iface,
+                                                  const char *target);
 
 int              iptablesAddStateForward         (iptablesContext *ctx,
-                                                  const char *iface);
+                                                  const char *iface,
+                                                  const char *target);
 int              iptablesRemoveStateForward      (iptablesContext *ctx,
-                                                  const char *iface);
+                                                  const char *iface,
+                                                  const char *target);
 
-int              iptablesAddNonBridgedMasq       (iptablesContext *ctx);
-int              iptablesRemoveNonBridgedMasq    (iptablesContext *ctx);
+int              iptablesAddNonBridgedMasq       (iptablesContext *ctx,
+                                                  const char *target);
+int              iptablesRemoveNonBridgedMasq    (iptablesContext *ctx,
+                                                  const char *target);
 
 #endif /* __QEMUD_IPTABLES_H__ */
 
Index: qemud/qemud.c
===================================================================
RCS file: /data/cvs/libvirt/qemud/qemud.c,v
retrieving revision 1.32
diff -u -p -r1.32 qemud.c
--- qemud/qemud.c	6 Mar 2007 16:51:48 -0000	1.32
+++ qemud/qemud.c	13 Mar 2007 03:53:23 -0000
@@ -1032,7 +1032,18 @@ static void
 qemudNetworkIfaceDisconnect(struct qemud_server *server,
                             struct qemud_vm *vm ATTRIBUTE_UNUSED,
                             struct qemud_vm_net_def *net) {
-    iptablesRemovePhysdevForward(server->iptables, net->dst.network.tapifname);
+    struct qemud_network *network;
+    if (net->type != QEMUD_NET_NETWORK)
+        return;
+
+    if (!(network = qemudFindNetworkByName(server, net->dst.network.name))) {
+        return;
+    } else if (network->bridge[0] == '\0') {
+        return;
+    }
+
+    if (network->def->forward)
+        iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev);
 }
 
 int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) {
@@ -1105,7 +1116,7 @@ qemudBuildDnsmasqArgv(struct qemud_serve
                       struct qemud_network *network,
                       char ***argv) {
     int i, len;
-    char buf[BR_INET_ADDR_MAXLEN * 2];
+    char buf[PATH_MAX];
     struct qemud_dhcp_range_def *range;
 
     len =
@@ -1114,8 +1125,8 @@ qemudBuildDnsmasqArgv(struct qemud_serve
         1 + /* --bind-interfaces */
         2 + /* --pid-file "" */
         2 + /* --conf-file "" */
+        2 + /* --interface virbr0 */
         2 + /* --except-interface lo */
-        2 + /* --listen-address 10.0.0.1 */
         (2 * network->def->nranges) + /* --dhcp-range 10.0.0.2,10.0.0.254 */
         1;  /* NULL */
 
@@ -1142,12 +1153,21 @@ qemudBuildDnsmasqArgv(struct qemud_serve
     APPEND_ARG(*argv, i++, "--conf-file");
     APPEND_ARG(*argv, i++, "");
 
-    APPEND_ARG(*argv, i++, "--except-interface");
-    APPEND_ARG(*argv, i++, "lo");
-
+    /*
+     * XXX does not actually work, due to some kind of
+     * race condition setting up ipv6 addresses on the
+     * interface. A sleep(10) makes it wor, but that's
+     * clearly not practical
+     *
+     * APPEND_ARG(*argv, i++, "--interface");
+     * APPEND_ARG(*argv, i++, network->def->bridge);
+     */
     APPEND_ARG(*argv, i++, "--listen-address");
     APPEND_ARG(*argv, i++, network->def->ipAddress);
 
+    APPEND_ARG(*argv, i++, "--except-interface");
+    APPEND_ARG(*argv, i++, "lo");
+
     range = network->def->ranges;
     while (range) {
         snprintf(buf, sizeof(buf), "%s,%s",
@@ -1211,7 +1231,7 @@ qemudAddIptablesRules(struct qemud_serve
     }
 
     /* allow bridging from the bridge interface itself */
-    if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) {
+    if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                          "failed to add iptables rule to allow bridging from '%s' : %s\n",
                          network->bridge, strerror(err));
@@ -1219,7 +1239,7 @@ qemudAddIptablesRules(struct qemud_serve
     }
 
     /* allow forwarding packets from the bridge interface */
-    if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge))) {
+    if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                          "failed to add iptables rule to allow forwarding from '%s' : %s\n",
                          network->bridge, strerror(err));
@@ -1227,7 +1247,7 @@ qemudAddIptablesRules(struct qemud_serve
     }
 
     /* allow forwarding packets to the bridge interface if they are part of an existing connection */
-    if ((err = iptablesAddStateForward(server->iptables, network->bridge))) {
+    if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                          "failed to add iptables rule to allow forwarding to '%s' : %s\n",
                          network->bridge, strerror(err));
@@ -1235,7 +1255,7 @@ qemudAddIptablesRules(struct qemud_serve
     }
 
     /* enable masquerading */
-    if ((err = iptablesAddNonBridgedMasq(server->iptables))) {
+    if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                          "failed to add iptables rule to enable masquerading : %s\n",
                          strerror(err));
@@ -1281,13 +1301,13 @@ qemudAddIptablesRules(struct qemud_serve
  err6:
     iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
  err5:
-    iptablesRemoveNonBridgedMasq(server->iptables);
+    iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
  err4:
-    iptablesRemoveStateForward(server->iptables, network->bridge);
+    iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
  err3:
-    iptablesRemoveInterfaceForward(server->iptables, network->bridge);
+    iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
  err2:
-    iptablesRemovePhysdevForward(server->iptables, network->bridge);
+    iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
  err1:
     return 0;
 }
@@ -1295,14 +1315,16 @@ qemudAddIptablesRules(struct qemud_serve
 static void
 qemudRemoveIptablesRules(struct qemud_server *server,
                          struct qemud_network *network) {
-    iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
-    iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
-    iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
-    iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
-    iptablesRemoveNonBridgedMasq(server->iptables);
-    iptablesRemoveStateForward(server->iptables, network->bridge);
-    iptablesRemoveInterfaceForward(server->iptables, network->bridge);
-    iptablesRemovePhysdevForward(server->iptables, network->bridge);
+    if (network->def->forward) {
+        iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
+        iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
+        iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
+        iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
+        iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
+        iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
+        iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
+        iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
+    }
 }
 
 static int
@@ -1379,10 +1401,12 @@ int qemudStartNetworkDaemon(struct qemud
         goto err_delbr;
     }
 
-    if (!qemudAddIptablesRules(server, network))
+    if (network->def->forward &&
+        !qemudAddIptablesRules(server, network))
         goto err_delbr1;
 
-    if (!qemudEnableIpForwarding()) {
+    if (network->def->forward &&
+        !qemudEnableIpForwarding()) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                          "failed to enable IP forwarding : %s\n", strerror(err));
         goto err_delbr2;

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]