External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-27 05:42:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added patches for routed networking from Mads Chr. Olesen

Browse Source
This commit is contained in:
Daniel P. Berrange 2008-03-28 20:38:21 +00:00
parent 924de9c3d1
commit 038b434f14
8 changed files with 223 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@ -40,6 +40,7 @@ Patches have also been contributed by:
Chris Lalancette <clalance@redhat.com> Chris Lalancette <clalance@redhat.com>
Guido Guenther <agx@sigxcpu.org> Guido Guenther <agx@sigxcpu.org>
Daniel Hokka Zakrisson <daniel@hozac.com> Daniel Hokka Zakrisson <daniel@hozac.com>
Mads Chr. Olesen <shiyee@shiyee.dk>
[....send patches to get your name here....] [....send patches to get your name here....]

12
ChangeLog
View File

@ -1,4 +1,14 @@
Fri Mar 27 13:55:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com> Fri Mar 28 16:34:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com>
* src/network.rng: Add new routed networking schema
* src/iptables.c, src/iptables.h: Add iptablesAddForwardAllowRelatedIn
and iptablesRemoveForwardAllowRelatedIn
* src/qemu_conf.h: Add attribute for routed networking
* src/qemu_conf.c: Parse / format new networking attributes
* src/qemu_driver.c: Support routed networking config
(patches from Mads Chr. Olesen)
Fri Mar 28 13:55:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com>
* src/storage_conf.c: Fix XML output tag for FS storage pools * src/storage_conf.c: Fix XML output tag for FS storage pools
directory path directory path

8
docs/network.rng
View File

@ -56,6 +56,14 @@
rest of the network --> rest of the network -->
<element name="forward"> <element name="forward">
<optional><attribute name="dev"><text/></attribute></optional> <optional><attribute name="dev"><text/></attribute></optional>
<optional>
<attribute name="mode">
<choice>
<value>nat</value>
<value>routed</value>
</choice>
</attribute>
</optional>
</element> </element>
</optional> </optional>
</element> </element>

73
src/iptables.c
View File

@ -793,7 +793,7 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx,
* and associated with an existing connection * and associated with an existing connection
*/ */
static int static int
iptablesForwardAllowIn(iptablesContext *ctx, iptablesForwardAllowRelatedIn(iptablesContext *ctx,
const char *network, const char *network,
const char *iface, const char *iface,
const char *physdev, const char *physdev,
@ -821,6 +821,77 @@ iptablesForwardAllowIn(iptablesContext *ctx,
} }
} }
/**
* iptablesAddForwardAllowRelatedIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
*
* Add rules to the IP table context to allow the traffic for the
* network @network on @physdev device to be forwarded to
* interface @iface, if it is part of an existing connection.
*
* Returns 0 in case of success or an error code otherwise
*/
int
iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
const char *network,
const char *iface,
const char *physdev)
{
return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD);
}
/**
* iptablesRemoveForwardAllowRelatedIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
*
* Remove rules from the IP table context hence forbidding the traffic for
* network @network on @physdev device to be forwarded to
* interface @iface, if it is part of an existing connection.
*
* Returns 0 in case of success or an error code otherwise
*/
int
iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
const char *network,
const char *iface,
const char *physdev)
{
return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(iptablesContext *ctx,
const char *network,
const char *iface,
const char *physdev,
int action)
{
if (physdev && physdev[0]) {
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", network,
"--in-interface", physdev,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
} else {
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", network,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
}
}
/** /**
* iptablesAddForwardAllowIn: * iptablesAddForwardAllowIn:
* @ctx: pointer to the IP table context * @ctx: pointer to the IP table context

9
src/iptables.h
View File

@ -55,6 +55,15 @@ int iptablesRemoveForwardAllowOut (iptablesContext *ctx,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
const char *network,
const char *iface,
const char *physdev);
int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
const char *network,
const char *iface,
const char *physdev);
int iptablesAddForwardAllowIn (iptablesContext *ctx, int iptablesAddForwardAllowIn (iptablesContext *ctx,
const char *network, const char *network,
const char *iface, const char *iface,

17
src/qemu_conf.c
View File

@ -2521,6 +2521,17 @@ static struct qemud_network_def *qemudParseNetworkXML(virConnectPtr conn,
} }
def->forward = 1; def->forward = 1;
tmp = xmlXPathEval(BAD_CAST "string(/network/forward[1]/@mode)", ctxt);
if ((tmp != NULL) && (tmp->type == XPATH_STRING) &&
(tmp->stringval != NULL) && (xmlStrEqual(tmp->stringval, BAD_CAST "route"))) {
def->forwardMode = QEMUD_NET_FORWARD_ROUTE;
} else {
def->forwardMode = QEMUD_NET_FORWARD_NAT;
}
xmlXPathFreeObject(tmp);
tmp = NULL;
tmp = xmlXPathEval(BAD_CAST "string(/network/forward[1]/@dev)", ctxt); tmp = xmlXPathEval(BAD_CAST "string(/network/forward[1]/@dev)", ctxt);
if ((tmp != NULL) && (tmp->type == XPATH_STRING) && if ((tmp != NULL) && (tmp->type == XPATH_STRING) &&
(tmp->stringval != NULL) && (tmp->stringval[0] != 0)) { (tmp->stringval != NULL) && (tmp->stringval[0] != 0)) {
@ -3160,10 +3171,10 @@ char *qemudGenerateNetworkXML(virConnectPtr conn,
if (def->forward) { if (def->forward) {
if (def->forwardDev[0]) { if (def->forwardDev[0]) {
virBufferVSprintf(buf, " <forward dev='%s'/>\n", virBufferVSprintf(buf, " <forward dev='%s' mode='%s'/>\n",
def->forwardDev); def->forwardDev, (def->forwardMode == QEMUD_NET_FORWARD_ROUTE ? "route" : "nat"));
} else { } else {
virBufferAddLit(buf, " <forward/>\n"); virBufferVSprintf(buf, " <forward mode='%s'/>\n", (def->forwardMode == QEMUD_NET_FORWARD_ROUTE ? "route" : "nat"));
} }
} }

7
src/qemu_conf.h
View File

@ -83,6 +83,12 @@ enum qemud_vm_net_type {
QEMUD_NET_BRIDGE, QEMUD_NET_BRIDGE,
}; };
/* 2 possible types of forwarding */
enum qemud_vm_net_forward_type {
QEMUD_NET_FORWARD_NAT,
QEMUD_NET_FORWARD_ROUTE,
};
#define QEMUD_MAX_NAME_LEN 50 #define QEMUD_MAX_NAME_LEN 50
#define QEMUD_MAX_XML_LEN 4096 #define QEMUD_MAX_XML_LEN 4096
#define QEMUD_MAX_ERROR_LEN 1024 #define QEMUD_MAX_ERROR_LEN 1024
@ -266,6 +272,7 @@ struct qemud_network_def {
int forwardDelay; int forwardDelay;
int forward; int forward;
int forwardMode; /* From qemud_vm_net_forward_type */
char forwardDev[BR_IFNAME_MAXLEN]; char forwardDev[BR_IFNAME_MAXLEN];
char ipAddress[BR_INET_ADDR_MAXLEN]; char ipAddress[BR_INET_ADDR_MAXLEN];

146
src/qemu_driver.c
View File

@ -948,6 +948,98 @@ dhcpStartDhcpDaemon(virConnectPtr conn,
return ret; return ret;
} }
static int
qemudAddMasqueradingIptablesRules(virConnectPtr conn,
struct qemud_driver *driver,
struct qemud_network *network) {
int err;
/* allow forwarding packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to allow forwarding from '%s' : %s\n"),
network->bridge, strerror(err));
goto masqerr1;
}
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to allow forwarding to '%s' : %s\n"),
network->bridge, strerror(err));
goto masqerr2;
}
/* enable masquerading */
if ((err = iptablesAddForwardMasquerade(driver->iptables,
network->def->network,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to enable masquerading : %s\n"),
strerror(err));
goto masqerr3;
}
return 1;
masqerr3:
iptablesRemoveForwardAllowRelatedIn(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev);
masqerr2:
iptablesRemoveForwardAllowOut(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev);
masqerr1:
return 0;
}
static int
qemudAddRoutingIptablesRules(virConnectPtr conn,
struct qemud_driver *driver,
struct qemud_network *network) {
int err;
/* allow routing packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to allow routing from '%s' : %s\n"),
network->bridge, strerror(err));
goto routeerr1;
}
/* allow routing packets to the bridge interface */
if ((err = iptablesAddForwardAllowIn(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to allow routing to '%s' : %s\n"),
network->bridge, strerror(err));
goto routeerr2;
}
return 1;
routeerr2:
iptablesRemoveForwardAllowOut(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev);
routeerr1:
return 0;
}
static int static int
qemudAddIptablesRules(virConnectPtr conn, qemudAddIptablesRules(virConnectPtr conn,
struct qemud_driver *driver, struct qemud_driver *driver,
@ -1023,53 +1115,17 @@ qemudAddIptablesRules(virConnectPtr conn,
return 1; return 1;
} }
/* allow forwarding packets from the bridge interface */ /* If masquerading is enabled, set up the rules*/
if ((err = iptablesAddForwardAllowOut(driver->iptables, if (network->def->forwardMode == QEMUD_NET_FORWARD_NAT) {
network->def->network, if (qemudAddMasqueradingIptablesRules(conn, driver, network))
network->bridge,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to allow forwarding from '%s' : %s"),
network->bridge, strerror(err));
goto err8;
}
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
if ((err = iptablesAddForwardAllowIn(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to allow forwarding to '%s' : %s"),
network->bridge, strerror(err));
goto err9;
}
/* enable masquerading */
if ((err = iptablesAddForwardMasquerade(driver->iptables,
network->def->network,
network->def->forwardDev))) {
qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("failed to add iptables rule to enable masquerading : %s"),
strerror(err));
goto err10;
}
iptablesSaveRules(driver->iptables);
return 1; return 1;
}
/* else if routing is enabled, set up the rules*/
else if (network->def->forwardMode == QEMUD_NET_FORWARD_ROUTE) {
if (qemudAddRoutingIptablesRules(conn, driver, network))
return 1;
}
err10:
iptablesRemoveForwardAllowIn(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev);
err9:
iptablesRemoveForwardAllowOut(driver->iptables,
network->def->network,
network->bridge,
network->def->forwardDev);
err8:
iptablesRemoveForwardAllowCross(driver->iptables, iptablesRemoveForwardAllowCross(driver->iptables,
network->bridge); network->bridge);
err7: err7: