[libvirt] [PATCH 2/2] add MAC address based port filtering to qemu

Daniel P. Berrange berrange at redhat.com
Wed Nov 4 12:55:59 UTC 2009 

On Tue, Nov 03, 2009 at 11:50:52PM +0100, Daniel Veillard wrote:
> On Tue, Oct 27, 2009 at 12:36:14PM +0100, Gerhard Stenzel wrote:
> > This patch adds MAC address based port filtering to the qemu driver.
> > 
> > Signed-off-by: Gerhard Stenzel <gerhard.stenzel at de.ibm.com>
> [...]
> > +networkAddEbtablesRules(struct qemud_driver *driver) {
> > +    int err;
> > +
> > +    /* Set forward policy to DROP */
> > +    if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) {
> > +        virReportSystemError(NULL, err,
> > +                             _("failed to add ebtables rule to set default policy to drop on '%s'"),
> > +                             __FILE__);
> > +        return err;
> 
>  I changed the indentation a bit to fit into 80 columns
> [...]
> > @@ -318,6 +319,22 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
> >           }
> >       }
> >  
> > +    p = virConfGetValue (conf, "mac_filter");
> > +    CHECK_TYPE ("mac_filter", VIR_CONF_LONG);
> > +    if (p) {
> > +        driver->macFilter = p->l;
> > +        if (!(driver->ebtables = ebtablesContextNew("qemu"))) {
> > +            driver->macFilter = 0;
> > +            virReportSystemError(NULL, errno,
> > +                                 _("failed to enable mac filter in in '%s'"), __FILE__);
> 
>   same in a couple of place in that module too
> 
> > @@ -2176,6 +2177,21 @@ static void qemudShutdownVMDaemon(virConnectPtr conn,
> >  
> >      VIR_DEBUG(_("Shutting down VM '%s'\n"), vm->def->name);
> >  
> > +    if (driver->macFilter) {
> > +        int i;
> > +        virDomainDefPtr def = vm->def;
> > +        for (i = 0 ; i < def->nnets ; i++) {
> > +            virDomainNetDefPtr net = def->nets[i];
> > +            if (net->ifname == NULL)
> > +                continue;
> > +            if ((errno = networkDisallowMacOnPort(conn, driver, net->ifname, net->mac))) {
> > +                virReportSystemError(conn, errno,
> > +                                     _("failed to remove ebtables rule to allow MAC address on  '%s'"),
> > +                                     net->ifname);
> > +            }
> > +        }
> > +    }
> > +
> >      if (virKillProcess(vm->pid, 0) == 0 &&
> >          virKillProcess(vm->pid, SIGTERM) < 0)
> >          virReportSystemError(conn, errno,
> 
>   again a bit of formatting btut nothing to add otherwise.
> 
> I have applied this patch too and I pushed both, thanks !
> 
>   We just need to look at the spec file dependancy (should be added I
> think) and clear up potential issues in saving :-)

Mark  pointed  out to me offlist, that this filtering is a little too
restrictive because it also blocks multicast + broadcast packets. We
can fix that easily enough with an extra patch though, and a single
catch-all rule for multi/broad-cast packets.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list