From a81756f1ff174c2603f1a392658741f4678bf3ed Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 13 Mar 2014 18:30:09 -0400 Subject: [PATCH] nwfilter: Add ARP src/dst IP mask for ebtables ARP Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887 Add a netmask for the source and destination IP address for the ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML parser with support for XML attributes for these netmasks similar to already supported netmasks. Extend the documentation. Signed-off-by: Stefan Berger --- docs/formatnwfilter.html.in | 10 ++++++++ src/conf/nwfilter_conf.c | 12 ++++++++++ src/conf/nwfilter_conf.h | 2 ++ src/nwfilter/nwfilter_ebiptables_driver.c | 28 +++++++++++++++++++---- 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 4b95fce643..45b97f7699 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -989,11 +989,21 @@ IP_ADDR Source IP address in ARP/RARP packet + + arpsrcipmask (Since 1.2.3) + IP_MASK + Source IP mask + arpdstipaddr IP_ADDR Destination IP address in ARP/RARP packet + + arpdstipmask (Since 1.2.3) + IP_MASK + Destination IP mask + comment (Since 0.8.5) STRING diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index d25e0cc16c..73e668fe0f 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -173,7 +173,9 @@ static const char dstmacmask_str[] = "dstmacmask"; static const char arpsrcmacaddr_str[] = "arpsrcmacaddr"; static const char arpdstmacaddr_str[] = "arpdstmacaddr"; static const char arpsrcipaddr_str[] = "arpsrcipaddr"; +static const char arpsrcipmask_str[] = "arpsrcipmask"; static const char arpdstipaddr_str[] = "arpdstipaddr"; +static const char arpdstipmask_str[] = "arpdstipmask"; static const char srcipaddr_str[] = "srcipaddr"; static const char srcipmask_str[] = "srcipmask"; static const char dstipaddr_str[] = "dstipaddr"; @@ -198,7 +200,9 @@ static const char ipsetflags_str[] = "ipsetflags"; #define ARPSRCMACADDR arpsrcmacaddr_str #define ARPDSTMACADDR arpdstmacaddr_str #define ARPSRCIPADDR arpsrcipaddr_str +#define ARPSRCIPMASK arpsrcipmask_str #define ARPDSTIPADDR arpdstipaddr_str +#define ARPDSTIPMASK arpdstipmask_str #define SRCIPADDR srcipaddr_str #define SRCIPMASK srcipmask_str #define DSTIPADDR dstipaddr_str @@ -1301,10 +1305,18 @@ static const virXMLAttr2Struct arpAttributes[] = { .name = ARPSRCIPADDR, .datatype = DATATYPE_IPADDR, .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPAddr), + }, { + .name = ARPSRCIPMASK, + .datatype = DATATYPE_IPMASK, + .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPMask), }, { .name = ARPDSTIPADDR, .datatype = DATATYPE_IPADDR, .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr), + }, { + .name = ARPDSTIPMASK, + .datatype = DATATYPE_IPMASK, + .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPMask), }, { .name = "gratuitous", .datatype = DATATYPE_BOOLEAN, diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index 8c59330f82..071343ed14 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -209,8 +209,10 @@ struct _arpHdrFilterDef { nwItemDesc dataOpcode; nwItemDesc dataARPSrcMACAddr; nwItemDesc dataARPSrcIPAddr; + nwItemDesc dataARPSrcIPMask; nwItemDesc dataARPDstMACAddr; nwItemDesc dataARPDstIPAddr; + nwItemDesc dataARPDstIPMask; nwItemDesc dataGratuitousARP; nwItemDesc dataComment; }; diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 352c08f0e0..34107a2cc3 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2052,6 +2052,7 @@ ebtablesCreateRuleInstance(char chainPrefix, { char macaddr[VIR_MAC_STRING_BUFLEN], ipaddr[INET_ADDRSTRLEN], + ipmask[INET_ADDRSTRLEN], ipv6addr[INET6_ADDRSTRLEN], number[MAX(INT_BUFSIZE_BOUND(uint32_t), INT_BUFSIZE_BOUND(int))], @@ -2059,6 +2060,7 @@ ebtablesCreateRuleInstance(char chainPrefix, char chain[MAX_CHAINNAME_LENGTH]; virBuffer buf = VIR_BUFFER_INITIALIZER; const char *target; + bool hasMask = false; if (!ebtables_cmd_path) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -2262,11 +2264,20 @@ ebtablesCreateRuleInstance(char chainPrefix, &rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0) goto err_exit; + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) { + if (printDataType(vars, + ipmask, sizeof(ipmask), + &rule->p.arpHdrFilter.dataARPSrcIPMask) < 0) + goto err_exit; + hasMask = true; + } + virBufferAsprintf(&buf, - " %s %s %s", + " %s %s %s/%s", reverse ? "--arp-ip-dst" : "--arp-ip-src", ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr), - ipaddr); + ipaddr, + hasMask ? ipmask : "32"); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) { @@ -2275,11 +2286,20 @@ ebtablesCreateRuleInstance(char chainPrefix, &rule->p.arpHdrFilter.dataARPDstIPAddr) < 0) goto err_exit; + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) { + if (printDataType(vars, + ipmask, sizeof(ipmask), + &rule->p.arpHdrFilter.dataARPDstIPMask) < 0) + goto err_exit; + hasMask = true; + } + virBufferAsprintf(&buf, - " %s %s %s", + " %s %s %s/%s", reverse ? "--arp-ip-src" : "--arp-ip-dst", ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr), - ipaddr); + ipaddr, + hasMask ? ipmask : "32"); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {