[libvirt] [PATCH] nwfilter: Add ARP src/dst IP mask for ebtables ARP
Stefan Berger
stefanb at us.ibm.com
Wed Mar 12 11:10:30 UTC 2014
From: Stefan Berger <stefanb at linux.vnet.ibm.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887
Add a netmask for the source and destination IP address for the
ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML
parser with support for XML attributes for these netmasks similar
to already supported netmasks. Extend the documentation.
Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
docs/formatnwfilter.html.in | 10 ++++++++++
src/conf/nwfilter_conf.c | 12 ++++++++++++
src/conf/nwfilter_conf.h | 2 ++
src/nwfilter/nwfilter_ebiptables_driver.c | 28 ++++++++++++++++++++++++----
4 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 5c06bf2..fb3a326 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -990,11 +990,21 @@
<td>Source IP address in ARP/RARP packet</td>
</tr>
<tr>
+ <td>arpsrcipmask <span class="since">(Since 1.2.3)</span></td>
+ <td>IP_MASK</td>
+ <td>Source IP mask</td>
+ </tr>
+ <tr>
<td>arpdstipaddr</td>
<td>IP_ADDR</td>
<td>Destination IP address in ARP/RARP packet</td>
</tr>
<tr>
+ <td>arpdstipmask <span class="since">(Since 1.2.3)</span></td>
+ <td>IP_MASK</td>
+ <td>Destination IP mask</td>
+ </tr>
+ <tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index d25e0cc..73e668f 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -173,7 +173,9 @@ static const char dstmacmask_str[] = "dstmacmask";
static const char arpsrcmacaddr_str[] = "arpsrcmacaddr";
static const char arpdstmacaddr_str[] = "arpdstmacaddr";
static const char arpsrcipaddr_str[] = "arpsrcipaddr";
+static const char arpsrcipmask_str[] = "arpsrcipmask";
static const char arpdstipaddr_str[] = "arpdstipaddr";
+static const char arpdstipmask_str[] = "arpdstipmask";
static const char srcipaddr_str[] = "srcipaddr";
static const char srcipmask_str[] = "srcipmask";
static const char dstipaddr_str[] = "dstipaddr";
@@ -198,7 +200,9 @@ static const char ipsetflags_str[] = "ipsetflags";
#define ARPSRCMACADDR arpsrcmacaddr_str
#define ARPDSTMACADDR arpdstmacaddr_str
#define ARPSRCIPADDR arpsrcipaddr_str
+#define ARPSRCIPMASK arpsrcipmask_str
#define ARPDSTIPADDR arpdstipaddr_str
+#define ARPDSTIPMASK arpdstipmask_str
#define SRCIPADDR srcipaddr_str
#define SRCIPMASK srcipmask_str
#define DSTIPADDR dstipaddr_str
@@ -1302,10 +1306,18 @@ static const virXMLAttr2Struct arpAttributes[] = {
.datatype = DATATYPE_IPADDR,
.dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPAddr),
}, {
+ .name = ARPSRCIPMASK,
+ .datatype = DATATYPE_IPMASK,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPMask),
+ }, {
.name = ARPDSTIPADDR,
.datatype = DATATYPE_IPADDR,
.dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr),
}, {
+ .name = ARPDSTIPMASK,
+ .datatype = DATATYPE_IPMASK,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPMask),
+ }, {
.name = "gratuitous",
.datatype = DATATYPE_BOOLEAN,
.dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataGratuitousARP),
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 8c59330..071343e 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -209,8 +209,10 @@ struct _arpHdrFilterDef {
nwItemDesc dataOpcode;
nwItemDesc dataARPSrcMACAddr;
nwItemDesc dataARPSrcIPAddr;
+ nwItemDesc dataARPSrcIPMask;
nwItemDesc dataARPDstMACAddr;
nwItemDesc dataARPDstIPAddr;
+ nwItemDesc dataARPDstIPMask;
nwItemDesc dataGratuitousARP;
nwItemDesc dataComment;
};
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index bea9535..a4b38e7 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2059,6 +2059,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
{
char macaddr[VIR_MAC_STRING_BUFLEN],
ipaddr[INET_ADDRSTRLEN],
+ ipmask[INET_ADDRSTRLEN],
ipv6addr[INET6_ADDRSTRLEN],
number[MAX(INT_BUFSIZE_BOUND(uint32_t),
INT_BUFSIZE_BOUND(int))],
@@ -2066,6 +2067,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
char chain[MAX_CHAINNAME_LENGTH];
virBuffer buf = VIR_BUFFER_INITIALIZER;
const char *target;
+ bool hasMask;
if (!ebtables_cmd_path) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -2269,11 +2271,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
&rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0)
goto err_exit;
+ if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) {
+ if (printDataType(vars,
+ ipmask, sizeof(ipmask),
+ &rule->p.arpHdrFilter.dataARPSrcIPMask) < 0)
+ goto err_exit;
+ hasMask = true;
+ }
+
virBufferAsprintf(&buf,
- " %s %s %s",
+ " %s %s %s/%s",
reverse ? "--arp-ip-dst" : "--arp-ip-src",
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr),
- ipaddr);
+ ipaddr,
+ hasMask ? ipmask : "32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
@@ -2282,11 +2293,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
&rule->p.arpHdrFilter.dataARPDstIPAddr) < 0)
goto err_exit;
+ if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) {
+ if (printDataType(vars,
+ ipmask, sizeof(ipmask),
+ &rule->p.arpHdrFilter.dataARPDstIPMask) < 0)
+ goto err_exit;
+ hasMask = true;
+ }
+
virBufferAsprintf(&buf,
- " %s %s %s",
+ " %s %s %s/%s",
reverse ? "--arp-ip-src" : "--arp-ip-dst",
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr),
- ipaddr);
+ ipaddr,
+ hasMask ? ipmask : "32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {
--
1.8.1.4
More information about the libvir-list
mailing list