[libvirt] [PATCH v2] Add support for network filter code in LXC driver

Stefan Berger stefanb at linux.vnet.ibm.com
Tue Jun 14 18:50:44 UTC 2011 

On 06/14/2011 10:46 AM, Daniel P. Berrange wrote:
> The LXC driver networking uses veth device pairs. These can
> be easily hooked into the network filtering code.
>
> * src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter
>
> New in v2:
>
>   - Add missing hooks for automatic rebuild of filters for
>     online guests
>
> ---
>   src/lxc/lxc_driver.c |   40 ++++++++++++++++++++++++++++++++++++++--
>   1 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index 9ef75f5..e8ad3f0 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -52,7 +52,7 @@
>   #include "hooks.h"
>   #include "files.h"
>   #include "fdstream.h"
> -
> +#include "domain_nwfilter.h"
>
>   #define VIR_FROM_THIS VIR_FROM_LXC
>
> @@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,
>           vethDelete(vm->def->nets[i]->ifname);
>       }
>
> +    virDomainConfVMNWFilterTeardown(vm);
> +
>       if (driver->cgroup&&
>           virCgroupForDomain(driver->cgroup, vm->def->name,&cgroup, 0) == 0) {
>           virCgroupRemove(cgroup);
> @@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr conn,
>
>           if (vethInterfaceUpOrDown(parentVeth, 1)<  0)
>               goto error_exit;
> +
> +        if (def->nets[i]->filter&&
> +            virDomainConfNWFilterInstantiate(conn, def->nets[i])<  0)
> +            goto error_exit;
>       }
>
>       rc = 0;
> @@ -1642,8 +1648,10 @@ cleanup:
>               vethDelete(veths[i]);
>           VIR_FREE(veths[i]);
>       }
> -    if (rc != 0)
> +    if (rc != 0) {
>           VIR_FORCE_CLOSE(priv->monitor);
> +        virDomainConfVMNWFilterTeardown(vm);
> +    }
>       VIR_FORCE_CLOSE(parentTty);
>       VIR_FORCE_CLOSE(handshakefds[0]);
>       VIR_FORCE_CLOSE(handshakefds[1]);
> @@ -2842,6 +2850,33 @@ cleanup:
>       return ret;
>   }
>
> +static int
> +lxcVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
> +                   virHashIterator iter, void *data)
> +{
> +    virHashForEach(lxc_driver->domains.objs, iter, data);
> +
> +    return 0;
> +}
> +
> +static void
> +lxcVMDriverLock(void)
> +{
> +    lxcDriverLock(lxc_driver);
> +}
> +
> +static void
> +lxcVMDriverUnlock(void)
> +{
> +    lxcDriverUnlock(lxc_driver);
> +}
> +
> +static virNWFilterCallbackDriver lxcCallbackDriver = {
> +    .name = "LXC",
> +    .vmFilterRebuild = lxcVMFilterRebuild,
> +    .vmDriverLock = lxcVMDriverLock,
> +    .vmDriverUnlock = lxcVMDriverUnlock,
> +};
>
>   /* Function Tables */
>   static virDriver lxcDriver = {
> @@ -2911,5 +2946,6 @@ int lxcRegister(void)
>   {
>       virRegisterDriver(&lxcDriver);
>       virRegisterStateDriver(&lxcStateDriver);
> +    virNWFilterRegisterCallbackDriver(&lxcCallbackDriver);
>       return 0;
>   }
ACK.

Looks good. Unfortunately I cannot test it since I don't have LXC on any 
of my machines...

    Stefan

More information about the libvir-list mailing list