[libvirt] [PATCH 0/13] [RFC] Network filtering (ACL) extensions for libvirt
Daniel P. Berrange
berrange at redhat.com
Wed Mar 17 15:00:26 UTC 2010
On Wed, Mar 17, 2010 at 10:53:37AM -0400, Stefan Berger wrote:
> "Daniel P. Berrange" <berrange at redhat.com> wrote on 03/17/2010 10:40:36
> AM:
>
>
> >
> > On Thu, Mar 11, 2010 at 08:06:04AM -0500, Stefan Berger wrote:
> > > Hi!
> > >
> > > The following set of patches add network filtering (ACL) extensions to
> > > libvirt and enable network traffic filtering for VMs using ebtables
> and,
> > > depending on the networking technology being used (tap, but not
> > > macvtap), also iptables. Usage of either is optional and controlled
> > > through filters that a VM is referencing.
> > >
> > > The ebtables-level filtering is based on the XML derived from the CIM
> > > network slide 10 (filtering) from the DMTF website
> > > (http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf).
> > > The XML we derived from this was discussed on the list before. On the
> > > ebtables level we currently handle filtering of IPv4 and ARP traffic.
> >
> > It is planned to cover IPv6 too, either at ebtables or ip6tables
> > level ?
>
> Well, the code should be able to handle it and we at least thought about
> it. I am not an IPv6 expert myself ... currently ... yet. :-)
>
> >
> >
> > I've not looked at the actual code in detail yet, but the public API,
> > virsh commands, XML etc all looks generally good to me. I'll try and
> > get you a detailed code review friday/monday once I get through my
> > current work items.
>
> Let me post another series later today with the fixes that I have made
> following your reviews and changes I did make myself.
>
> >
> > > One comment about the instantiation of the rules: Since the XML allows
> > > to create nearly any possible combination of parameters to ebtables or
> > > iptables commands, I haven't used the ebtables or iptables wrappers.
> > > Instead, I am writing ebtables/iptables command into a buffer, add
> > > command line options to each one of them as described in the rule's
> XML,
> > > write the buffer into a file and run it as a script. For those
> commands
> > > that are not allowed to fail I am using the following format to run
> > > them:
> > >
> > > cmd="ebtables <some options>"
> > > r=`${cmd}`
> > > if [ $? -ne 0 ]; then
> > > echo "Failure in command ${cmd}."
> > > exit 1
> > > fi
> > >
> > > cmd="..."
> > > [...]
> > >
> > > If one of the command fails in such a batch, the libvirt code is going
> > > pick up the error code '1', tear down anything previously established
> > > and report an error back. The actual error message shown above is
> > > currently not reported back, but can be later on with some changes to
> > > the commands running external programs that need to read the script's
> > > stdout.
> >
> > I understand why you can't use the ebtables/iptables APIs we currently
> > have there, but I'm not much of a fan of using the shell script. Isn't
> > it just as easy to directly call virRun() with each set of ARGV to be
> > exec'd ?
>
> I hadn't thought about calling that function... I would want to call a
> function that can handle something like bash scripts, i.e., multiple
> concatenated fragments as those shown above just to be more 'efficient'.
Is it really more efficient ? If you need to run 20 ebtables commands,
then using bash does 1 fork/exec for bash & bash then does another 20
fork/exec for ebtables.
Alternatively just use virRun() for each ebtables command you just still
have 20 fork/execs, without using bash.
> If virRun() can handle that and $? for example would be treated there as
> the return value (which I think is bash-dependent), I'd be happy to call
> it as well.
I'd think just call virRun once for each ebtables command - virRun gives
you back the exit status of the command
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list