[libvirt] [PATCH v2] Add support for network filter code in LXC driver
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Jun 14 18:50:44 UTC 2011
On 06/14/2011 10:46 AM, Daniel P. Berrange wrote:
> The LXC driver networking uses veth device pairs. These can
> be easily hooked into the network filtering code.
>
> * src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter
>
> New in v2:
>
> - Add missing hooks for automatic rebuild of filters for
> online guests
>
> ---
> src/lxc/lxc_driver.c | 40 ++++++++++++++++++++++++++++++++++++++--
> 1 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index 9ef75f5..e8ad3f0 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -52,7 +52,7 @@
> #include "hooks.h"
> #include "files.h"
> #include "fdstream.h"
> -
> +#include "domain_nwfilter.h"
>
> #define VIR_FROM_THIS VIR_FROM_LXC
>
> @@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,
> vethDelete(vm->def->nets[i]->ifname);
> }
>
> + virDomainConfVMNWFilterTeardown(vm);
> +
> if (driver->cgroup&&
> virCgroupForDomain(driver->cgroup, vm->def->name,&cgroup, 0) == 0) {
> virCgroupRemove(cgroup);
> @@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr conn,
>
> if (vethInterfaceUpOrDown(parentVeth, 1)< 0)
> goto error_exit;
> +
> + if (def->nets[i]->filter&&
> + virDomainConfNWFilterInstantiate(conn, def->nets[i])< 0)
> + goto error_exit;
> }
>
> rc = 0;
> @@ -1642,8 +1648,10 @@ cleanup:
> vethDelete(veths[i]);
> VIR_FREE(veths[i]);
> }
> - if (rc != 0)
> + if (rc != 0) {
> VIR_FORCE_CLOSE(priv->monitor);
> + virDomainConfVMNWFilterTeardown(vm);
> + }
> VIR_FORCE_CLOSE(parentTty);
> VIR_FORCE_CLOSE(handshakefds[0]);
> VIR_FORCE_CLOSE(handshakefds[1]);
> @@ -2842,6 +2850,33 @@ cleanup:
> return ret;
> }
>
> +static int
> +lxcVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
> + virHashIterator iter, void *data)
> +{
> + virHashForEach(lxc_driver->domains.objs, iter, data);
> +
> + return 0;
> +}
> +
> +static void
> +lxcVMDriverLock(void)
> +{
> + lxcDriverLock(lxc_driver);
> +}
> +
> +static void
> +lxcVMDriverUnlock(void)
> +{
> + lxcDriverUnlock(lxc_driver);
> +}
> +
> +static virNWFilterCallbackDriver lxcCallbackDriver = {
> + .name = "LXC",
> + .vmFilterRebuild = lxcVMFilterRebuild,
> + .vmDriverLock = lxcVMDriverLock,
> + .vmDriverUnlock = lxcVMDriverUnlock,
> +};
>
> /* Function Tables */
> static virDriver lxcDriver = {
> @@ -2911,5 +2946,6 @@ int lxcRegister(void)
> {
> virRegisterDriver(&lxcDriver);
> virRegisterStateDriver(&lxcStateDriver);
> + virNWFilterRegisterCallbackDriver(&lxcCallbackDriver);
> return 0;
> }
ACK.
Looks good. Unfortunately I cannot test it since I don't have LXC on any
of my machines...
Stefan
More information about the libvir-list
mailing list