With hunks borrowed from one of David Steven's previous patches, we now
add the capability of having a 'mac' chain which is useful to filter
for multiple valid MAC addresses.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

---
 docs/schemas/nwfilter.rng                 |    3 +++
 src/conf/nwfilter_conf.c                  |    2 ++
 src/conf/nwfilter_conf.h                  |    2 ++
 src/nwfilter/nwfilter_ebiptables_driver.c |   22 ++++++++++++++++++++--
 4 files changed, 27 insertions(+), 2 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -188,6 +188,7 @@ enum l3_proto_idx {
     L3_PROTO_IPV6_IDX,
     L3_PROTO_ARP_IDX,
     L3_PROTO_RARP_IDX,
+    L2_PROTO_MAC_IDX,
     L2_PROTO_VLAN_IDX,
     L3_PROTO_LAST_IDX
 };
@@ -205,6 +206,7 @@ static const struct ushort_map l3_protoc
     USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP   , "arp"),
     USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
     USHORTMAP_ENTRY_IDX(L2_PROTO_VLAN_IDX, ETHERTYPE_VLAN  , "vlan"),
+    USHORTMAP_ENTRY_IDX(L2_PROTO_MAC_IDX,  0               , "mac"),
     USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0               , NULL),
 };
 
@@ -2806,11 +2808,25 @@ ebtablesCreateTmpSubChain(ebiptablesRule
     char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
     char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
                                   : CHAINPREFIX_HOST_OUT_TEMP;
+    char *protostr = NULL;
 
     PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
     PRINT_CHAIN(chain, chainPrefix, ifname,
                 (filtername) ? filtername : l3_protocols[protoidx].val);
 
+    switch (protoidx) {
+    case L2_PROTO_MAC_IDX:
+        break;
+    default:
+        virAsprintf(&protostr, "-p 0x%04x", l3_protocols[protoidx].attr);
+        break;
+    }
+
+    if (!protostr) {
+        virReportOOMError();
+        return -1;
+    }
+
     virBufferAsprintf(&buf,
                       CMD_DEF("%s -t %s -F %s") CMD_SEPARATOR
                       CMD_EXEC
@@ -2819,7 +2835,7 @@ ebtablesCreateTmpSubChain(ebiptablesRule
                       CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
                       CMD_EXEC
                       "%s"
-                      CMD_DEF("%s -t %s -%%c %s %%s -p 0x%x -j %s")
+                      CMD_DEF("%s -t %s -%%c %s %%s %s -j %s")
                           CMD_SEPARATOR
                       CMD_EXEC
                       "%s",
@@ -2831,10 +2847,12 @@ ebtablesCreateTmpSubChain(ebiptablesRule
                       CMD_STOPONERR(stopOnError),
 
                       ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
-                      rootchain, l3_protocols[protoidx].attr, chain,
+                      rootchain, protostr, chain,
 
                       CMD_STOPONERR(stopOnError));
 
+    VIR_FREE(protostr);
+
     if (virBufferError(&buf) ||
         VIR_EXPAND_N(tmp, count, 1) < 0) {
         virReportOOMError();
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -82,6 +82,7 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, 
 
 VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
               "root",
+              "mac",
               "vlan",
               "arp",
               "rarp",
@@ -128,6 +129,7 @@ struct int_map {
 
 static const struct int_map chain_priorities[] = {
     INTMAP_ENTRY(NWFILTER_ROOT_FILTER_PRI, "root"),
+    INTMAP_ENTRY(NWFILTER_MAC_FILTER_PRI,  "mac"),
     INTMAP_ENTRY(NWFILTER_VLAN_FILTER_PRI, "vlan"),
     INTMAP_ENTRY(NWFILTER_IPV4_FILTER_PRI, "ipv4"),
     INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, "ipv6"),
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -378,6 +378,7 @@ enum virNWFilterEbtablesTableType {
 # define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY
 
 # define NWFILTER_ROOT_FILTER_PRI 0
+# define NWFILTER_MAC_FILTER_PRI  -800
 # define NWFILTER_VLAN_FILTER_PRI -750
 # define NWFILTER_IPV4_FILTER_PRI -700
 # define NWFILTER_IPV6_FILTER_PRI -600
@@ -456,6 +457,7 @@ struct _virNWFilterEntry {
 
 enum virNWFilterChainSuffixType {
     VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
+    VIR_NWFILTER_CHAINSUFFIX_MAC,
     VIR_NWFILTER_CHAINSUFFIX_VLAN,
     VIR_NWFILTER_CHAINSUFFIX_ARP,
     VIR_NWFILTER_CHAINSUFFIX_RARP,
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -297,6 +297,9 @@
         <choice>
           <value>root</value>
           <data type="string">
+            <param name="pattern">mac[a-zA-Z0-9_\.:-]{0,9}</param>
+          </data>
+          <data type="string">
             <param name="pattern">vlan[a-zA-Z0-9_\.:-]{0,8}</param>
           </data>
           <data type="string">