[libvirt] [PATCH] nwfilter: Add ARP src/dst IP mask for ebtables ARP
Laine Stump
laine at laine.org
Thu Mar 13 17:50:04 UTC 2014
On 03/12/2014 05:10 AM, Stefan Berger wrote:
> From: Stefan Berger <stefanb at linux.vnet.ibm.com>
>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887
>
> Add a netmask for the source and destination IP address for the
> ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML
> parser with support for XML attributes for these netmasks similar
> to already supported netmasks. Extend the documentation.
>
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> ---
> docs/formatnwfilter.html.in | 10 ++++++++++
> src/conf/nwfilter_conf.c | 12 ++++++++++++
> src/conf/nwfilter_conf.h | 2 ++
> src/nwfilter/nwfilter_ebiptables_driver.c | 28 ++++++++++++++++++++++++----
> 4 files changed, 48 insertions(+), 4 deletions(-)
>
> diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
> index 5c06bf2..fb3a326 100644
> --- a/docs/formatnwfilter.html.in
> +++ b/docs/formatnwfilter.html.in
> @@ -990,11 +990,21 @@
> <td>Source IP address in ARP/RARP packet</td>
> </tr>
> <tr>
> + <td>arpsrcipmask <span class="since">(Since 1.2.3)</span></td>
> + <td>IP_MASK</td>
> + <td>Source IP mask</td>
> + </tr>
> + <tr>
> <td>arpdstipaddr</td>
> <td>IP_ADDR</td>
> <td>Destination IP address in ARP/RARP packet</td>
> </tr>
> <tr>
> + <td>arpdstipmask <span class="since">(Since 1.2.3)</span></td>
> + <td>IP_MASK</td>
> + <td>Destination IP mask</td>
> + </tr>
> + <tr>
> <td>comment <span class="since">(Since 0.8.5)</span></td>
> <td>STRING</td>
> <td>text with max. 256 characters</td>
> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
> index d25e0cc..73e668f 100644
> --- a/src/conf/nwfilter_conf.c
> +++ b/src/conf/nwfilter_conf.c
> @@ -173,7 +173,9 @@ static const char dstmacmask_str[] = "dstmacmask";
> static const char arpsrcmacaddr_str[] = "arpsrcmacaddr";
> static const char arpdstmacaddr_str[] = "arpdstmacaddr";
> static const char arpsrcipaddr_str[] = "arpsrcipaddr";
> +static const char arpsrcipmask_str[] = "arpsrcipmask";
> static const char arpdstipaddr_str[] = "arpdstipaddr";
> +static const char arpdstipmask_str[] = "arpdstipmask";
> static const char srcipaddr_str[] = "srcipaddr";
> static const char srcipmask_str[] = "srcipmask";
> static const char dstipaddr_str[] = "dstipaddr";
> @@ -198,7 +200,9 @@ static const char ipsetflags_str[] = "ipsetflags";
> #define ARPSRCMACADDR arpsrcmacaddr_str
> #define ARPDSTMACADDR arpdstmacaddr_str
> #define ARPSRCIPADDR arpsrcipaddr_str
> +#define ARPSRCIPMASK arpsrcipmask_str
> #define ARPDSTIPADDR arpdstipaddr_str
> +#define ARPDSTIPMASK arpdstipmask_str
> #define SRCIPADDR srcipaddr_str
> #define SRCIPMASK srcipmask_str
> #define DSTIPADDR dstipaddr_str
> @@ -1302,10 +1306,18 @@ static const virXMLAttr2Struct arpAttributes[] = {
> .datatype = DATATYPE_IPADDR,
> .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPAddr),
> }, {
> + .name = ARPSRCIPMASK,
> + .datatype = DATATYPE_IPMASK,
> + .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPMask),
> + }, {
> .name = ARPDSTIPADDR,
> .datatype = DATATYPE_IPADDR,
> .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr),
> }, {
> + .name = ARPDSTIPMASK,
> + .datatype = DATATYPE_IPMASK,
> + .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPMask),
> + }, {
> .name = "gratuitous",
> .datatype = DATATYPE_BOOLEAN,
> .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataGratuitousARP),
> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
> index 8c59330..071343e 100644
> --- a/src/conf/nwfilter_conf.h
> +++ b/src/conf/nwfilter_conf.h
> @@ -209,8 +209,10 @@ struct _arpHdrFilterDef {
> nwItemDesc dataOpcode;
> nwItemDesc dataARPSrcMACAddr;
> nwItemDesc dataARPSrcIPAddr;
> + nwItemDesc dataARPSrcIPMask;
> nwItemDesc dataARPDstMACAddr;
> nwItemDesc dataARPDstIPAddr;
> + nwItemDesc dataARPDstIPMask;
> nwItemDesc dataGratuitousARP;
> nwItemDesc dataComment;
> };
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
> index bea9535..a4b38e7 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -2059,6 +2059,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
> {
> char macaddr[VIR_MAC_STRING_BUFLEN],
> ipaddr[INET_ADDRSTRLEN],
> + ipmask[INET_ADDRSTRLEN],
> ipv6addr[INET6_ADDRSTRLEN],
> number[MAX(INT_BUFSIZE_BOUND(uint32_t),
> INT_BUFSIZE_BOUND(int))],
> @@ -2066,6 +2067,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
> char chain[MAX_CHAINNAME_LENGTH];
> virBuffer buf = VIR_BUFFER_INITIALIZER;
> const char *target;
> + bool hasMask;
>
> if (!ebtables_cmd_path) {
> virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> @@ -2269,11 +2271,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
> &rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0)
> goto err_exit;
>
> + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) {
> + if (printDataType(vars,
> + ipmask, sizeof(ipmask),
> + &rule->p.arpHdrFilter.dataARPSrcIPMask) < 0)
> + goto err_exit;
> + hasMask = true;
> + }
> +
> virBufferAsprintf(&buf,
> - " %s %s %s",
> + " %s %s %s/%s",
> reverse ? "--arp-ip-dst" : "--arp-ip-src",
> ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr),
> - ipaddr);
> + ipaddr,
> + hasMask ? ipmask : "32");
> }
>
> if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
> @@ -2282,11 +2293,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
> &rule->p.arpHdrFilter.dataARPDstIPAddr) < 0)
> goto err_exit;
>
> + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) {
> + if (printDataType(vars,
> + ipmask, sizeof(ipmask),
> + &rule->p.arpHdrFilter.dataARPDstIPMask) < 0)
> + goto err_exit;
> + hasMask = true;
> + }
> +
> virBufferAsprintf(&buf,
> - " %s %s %s",
> + " %s %s %s/%s",
> reverse ? "--arp-ip-src" : "--arp-ip-dst",
> ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr),
> - ipaddr);
> + ipaddr,
> + hasMask ? ipmask : "32");
> }
>
> if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {
ACK.
More information about the libvir-list
mailing list