[libvirt] [PATCH] nwfilter: Support for learning a VM's IP address
Eric Blake
eblake at redhat.com
Wed Mar 31 18:28:09 UTC 2010
On 03/30/2010 11:56 AM, Stefan Berger wrote:
> Subject: Support for learning a VM's IP address
>
> This patch implements support for learning a VM's IP address. It uses
> the pcap library to listen on the VM's backend network interface (tap)
> or the physical ethernet device (macvtap) and tries to capture packets
> with source or destination MAC address of the VM and learn from DHCP
> Offers, ARP traffic, or first-sent IPv4 packet what the IP address of
> the VM's interface is. This then allows to instantiate the network
> traffic filtering rules without the user having to provide the IP
> parameter somewhere in the filter description or in the interface
> description as a parameter. This only supports to detect the parameter
> IP, which is for the assumed single IPv4 address of a VM. There is not
> support for interfaces that may have multiple IP addresses (IP
> aliasing) or IPv6 that may then require more than one valid IP address
> to be detected. A VM can have multiple independent interfaces that each
> uses a different IP address and in that case it will be attempted to
> detect each one of the address independently.
Sounds interesting.
>
> ---
> configure.ac | 39 ++
Should there also be an adjustment to the .rpm spec files, to mention
that we now might depend on libpcap (and building of all features
depends on libpcap-devel)?
> Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
...
> +
> +#ifdef HAVE_LIBPCAP
> +#include <pcap.h>
> +#endif
Fails 'make syntax-check' if you install cppi (which is now part of Fedora).
> +
> +#include <fcntl.h>
> +#include <sys/ioctl.h>
> +
> +#include <arpa/inet.h>
> +#include <net/ethernet.h>
> +#include <netinet/ip.h>
> +#include <netinet/udp.h>
> +#include <net/if_arp.h>
> +#include <linux/if.h>
Can we guarantee that this header always exists, or should it be
conditionally included?
> +
> +
> +/* structure of an ARP request/reply message */
> +struct f_arphdr {
> + struct arphdr arphdr;
> + uint8_t ar_sha[ETH_ALEN];
> + uint32_t ar_sip;
> + uint8_t ar_tha[ETH_ALEN];
> + uint32_t ar_tip;
> +} __attribute__((packed));
This assumes GCC; do we ever intend to support other compilers?
> +/**
> + * virNWFilterLearnInit
> + * Initialization of this layer
> + */
> +int
> +virNWFilterLearnInit(void) {
> + pendingLearnReq = virHashCreate(0);
> + if (!pendingLearnReq) {
> + virReportOOMError();
> + return 1;
> + }
> +
> + if (virMutexInit(&pendingLearnReqLock)) {
> + virNWFilterLearnShutdown();
> + return 1;
> + }
Is this function leaking memory if it fails mid-way through? Or are you
requiring that the caller will call virNWFilterShutdown even if
virNWFilterLearnInit returns failure?
> Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
> ===================================================================
> --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c
> +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
> @@ -24,6 +24,9 @@
> #include <config.h>
>
> #include <stdint.h>
> +#include <sys/socket.h>
> +#include <sys/ioctl.h>
> +#include <linux/if.h>
Another instance of using a non-portable header.
I've read through the patch, and didn't spot many glaring errors. I
have not tested it, though, and would rather defer to others to also
look through it before approving it, since it is rather large.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 323 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100331/b410ee12/attachment-0001.sig>
More information about the libvir-list
mailing list