<tt><font size=2>"Daniel P. Berrange" <berrange@redhat.com>
wrote on 06/07/2011 09:36:22 AM:<br>
<br>
</font></tt>
<br><tt><font size=2>> <br>
> The LXC driver networking uses veth device pairs. These can<br>
> be easily hooked into the network filtering code.<br>
> <br>
> * src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter<br>
> ---<br>
> src/lxc/lxc_driver.c | 12 ++++++++++--<br>
> 1 files changed, 10 insertions(+), 2 deletions(-)<br>
> <br>
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c<br>
> index 8eb87a2..4d14466 100644<br>
> --- a/src/lxc/lxc_driver.c<br>
> +++ b/src/lxc/lxc_driver.c<br>
> @@ -52,7 +52,7 @@<br>
> #include "hooks.h"<br>
> #include "files.h"<br>
> #include "fdstream.h"<br>
> -<br>
> +#include "domain_nwfilter.h"<br>
> <br>
> #define VIR_FROM_THIS VIR_FROM_LXC<br>
> <br>
> @@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,<br>
> vethDelete(vm->def->nets[i]->ifname);<br>
> }<br>
> <br>
> + virDomainConfVMNWFilterTeardown(vm);<br>
> +<br>
> if (driver->cgroup &&<br>
> virCgroupForDomain(driver->cgroup,
vm->def->name, &cgroup, 0) == 0) {<br>
> virCgroupRemove(cgroup);<br>
> @@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr
conn,<br>
> <br>
> if (vethInterfaceUpOrDown(parentVeth,
1) < 0)<br>
> goto error_exit;<br>
> +<br>
> + if (def->nets[i]->filter &&<br>
> + virDomainConfNWFilterInstantiate(conn,
def->nets[i]) < 0)<br>
> + goto error_exit;<br>
> }<br>
> <br>
> rc = 0;<br>
> @@ -1538,8 +1544,10 @@ cleanup:<br>
> vethDelete(veths[i]);<br>
> VIR_FREE(veths[i]);<br>
> }<br>
> - if (rc != 0)<br>
> + if (rc != 0) {<br>
> VIR_FORCE_CLOSE(priv->monitor);<br>
> + virDomainConfVMNWFilterTeardown(vm);<br>
> + }<br>
> VIR_FORCE_CLOSE(parentTty);<br>
> VIR_FREE(logfile);<br>
> return rc;<br>
> -- <br>
> 1.7.4.4<br>
> <br>
</font></tt>
<br><tt><font size=2>I would have thought a bit more code to be necessary,
especially for supporting the live filter updates. At least something along
the lines that the UML support shows:</font></tt>
<br>
<br>
<br><tt><font size=2>[...]</font></tt>
<br>
<br><tt><font size=2>static int</font></tt>
<br><tt><font size=2>umlVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,</font></tt>
<br><tt><font size=2>
virHashIterator iter, void *data)</font></tt>
<br><tt><font size=2>{ </font></tt>
<br><tt><font size=2> virHashForEach(uml_driver->domains.objs,
iter, data);</font></tt>
<br>
<br><tt><font size=2> return 0;</font></tt>
<br><tt><font size=2>}</font></tt>
<br>
<br><tt><font size=2>[...]</font></tt>
<br>
<br><tt><font size=2>static void</font></tt>
<br><tt><font size=2>umlVMDriverLock(void)</font></tt>
<br><tt><font size=2>{</font></tt>
<br><tt><font size=2> umlDriverLock(uml_driver);</font></tt>
<br><tt><font size=2>}</font></tt>
<br><tt><font size=2> </font></tt>
<br><tt><font size=2>static void</font></tt>
<br><tt><font size=2>umlVMDriverUnlock(void)</font></tt>
<br><tt><font size=2>{</font></tt>
<br><tt><font size=2> umlDriverUnlock(uml_driver);</font></tt>
<br><tt><font size=2>}</font></tt>
<br>
<br><tt><font size=2>static virNWFilterCallbackDriver umlCallbackDriver
= {</font></tt>
<br><tt><font size=2> .name = "UML",</font></tt>
<br><tt><font size=2> .vmFilterRebuild = umlVMFilterRebuild,</font></tt>
<br><tt><font size=2> .vmDriverLock = umlVMDriverLock,</font></tt>
<br><tt><font size=2> .vmDriverUnlock = umlVMDriverUnlock,</font></tt>
<br><tt><font size=2>};</font></tt>
<br><tt><font size=2> </font></tt>
<br><tt><font size=2>int umlRegister(void) {</font></tt>
<br><tt><font size=2> virRegisterDriver(¨Driver);</font></tt>
<br><tt><font size=2> virRegisterStateDriver(¨StateDriver);</font></tt>
<br><tt><font size=2> virNWFilterRegisterCallbackDriver(¨CallbackDriver);</font></tt>
<br><tt><font size=2> return 0;</font></tt>
<br><tt><font size=2>}</font></tt>
<br><tt><font size=2> </font></tt>
<br>
<br><tt><font size=2>Regards,</font></tt>
<br><tt><font size=2> Stefan</font></tt>
<br>