External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-16 22:57:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

nwfilter: Add ARP src/dst IP mask for ebtables ARP

Browse Source 
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887

Add a netmask for the source and destination IP address for the
ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML
parser with support for XML attributes for these netmasks similar
to already supported netmasks. Extend the documentation.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This commit is contained in:
Stefan Berger 2014-03-13 18:30:09 -04:00 committed by Stefan Berger
parent 5a2b17beb8
commit a81756f1ff
4 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/formatnwfilter.html.in
View File

@ -989,11 +989,21 @@
<td>IP_ADDR</td> <td>IP_ADDR</td>
<td>Source IP address in ARP/RARP packet</td> <td>Source IP address in ARP/RARP packet</td>
</tr> </tr>
<tr>
<td>arpsrcipmask <span class="since">(Since 1.2.3)</span></td>
<td>IP_MASK</td>
<td>Source IP mask</td>
</tr>
<tr> <tr>
<td>arpdstipaddr</td> <td>arpdstipaddr</td>
<td>IP_ADDR</td> <td>IP_ADDR</td>
<td>Destination IP address in ARP/RARP packet</td> <td>Destination IP address in ARP/RARP packet</td>
</tr> </tr>
<tr>
<td>arpdstipmask <span class="since">(Since 1.2.3)</span></td>
<td>IP_MASK</td>
<td>Destination IP mask</td>
</tr>
<tr> <tr>
<td>comment <span class="since">(Since 0.8.5)</span></td> <td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td> <td>STRING</td>

12
src/conf/nwfilter_conf.c
View File

@ -173,7 +173,9 @@ static const char dstmacmask_str[] = "dstmacmask";
static const char arpsrcmacaddr_str[] = "arpsrcmacaddr"; static const char arpsrcmacaddr_str[] = "arpsrcmacaddr";
static const char arpdstmacaddr_str[] = "arpdstmacaddr"; static const char arpdstmacaddr_str[] = "arpdstmacaddr";
static const char arpsrcipaddr_str[] = "arpsrcipaddr"; static const char arpsrcipaddr_str[] = "arpsrcipaddr";
static const char arpsrcipmask_str[] = "arpsrcipmask";
static const char arpdstipaddr_str[] = "arpdstipaddr"; static const char arpdstipaddr_str[] = "arpdstipaddr";
static const char arpdstipmask_str[] = "arpdstipmask";
static const char srcipaddr_str[] = "srcipaddr"; static const char srcipaddr_str[] = "srcipaddr";
static const char srcipmask_str[] = "srcipmask"; static const char srcipmask_str[] = "srcipmask";
static const char dstipaddr_str[] = "dstipaddr"; static const char dstipaddr_str[] = "dstipaddr";
@ -198,7 +200,9 @@ static const char ipsetflags_str[] = "ipsetflags";
#define ARPSRCMACADDR arpsrcmacaddr_str #define ARPSRCMACADDR arpsrcmacaddr_str
#define ARPDSTMACADDR arpdstmacaddr_str #define ARPDSTMACADDR arpdstmacaddr_str
#define ARPSRCIPADDR arpsrcipaddr_str #define ARPSRCIPADDR arpsrcipaddr_str
#define ARPSRCIPMASK arpsrcipmask_str
#define ARPDSTIPADDR arpdstipaddr_str #define ARPDSTIPADDR arpdstipaddr_str
#define ARPDSTIPMASK arpdstipmask_str
#define SRCIPADDR srcipaddr_str #define SRCIPADDR srcipaddr_str
#define SRCIPMASK srcipmask_str #define SRCIPMASK srcipmask_str
#define DSTIPADDR dstipaddr_str #define DSTIPADDR dstipaddr_str
@ -1301,10 +1305,18 @@ static const virXMLAttr2Struct arpAttributes[] = {
.name = ARPSRCIPADDR, .name = ARPSRCIPADDR,
.datatype = DATATYPE_IPADDR, .datatype = DATATYPE_IPADDR,
.dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPAddr), .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPAddr),
}, {
.name = ARPSRCIPMASK,
.datatype = DATATYPE_IPMASK,
.dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPSrcIPMask),
}, { }, {
.name = ARPDSTIPADDR, .name = ARPDSTIPADDR,
.datatype = DATATYPE_IPADDR, .datatype = DATATYPE_IPADDR,
.dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr), .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr),
}, {
.name = ARPDSTIPMASK,
.datatype = DATATYPE_IPMASK,
.dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPMask),
}, { }, {
.name = "gratuitous", .name = "gratuitous",
.datatype = DATATYPE_BOOLEAN, .datatype = DATATYPE_BOOLEAN,

2
src/conf/nwfilter_conf.h
View File

@ -209,8 +209,10 @@ struct _arpHdrFilterDef {
nwItemDesc dataOpcode; nwItemDesc dataOpcode;
nwItemDesc dataARPSrcMACAddr; nwItemDesc dataARPSrcMACAddr;
nwItemDesc dataARPSrcIPAddr; nwItemDesc dataARPSrcIPAddr;
nwItemDesc dataARPSrcIPMask;
nwItemDesc dataARPDstMACAddr; nwItemDesc dataARPDstMACAddr;
nwItemDesc dataARPDstIPAddr; nwItemDesc dataARPDstIPAddr;
nwItemDesc dataARPDstIPMask;
nwItemDesc dataGratuitousARP; nwItemDesc dataGratuitousARP;
nwItemDesc dataComment; nwItemDesc dataComment;
}; };

28
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -2052,6 +2052,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
{ {
char macaddr[VIR_MAC_STRING_BUFLEN], char macaddr[VIR_MAC_STRING_BUFLEN],
ipaddr[INET_ADDRSTRLEN], ipaddr[INET_ADDRSTRLEN],
ipmask[INET_ADDRSTRLEN],
ipv6addr[INET6_ADDRSTRLEN], ipv6addr[INET6_ADDRSTRLEN],
number[MAX(INT_BUFSIZE_BOUND(uint32_t), number[MAX(INT_BUFSIZE_BOUND(uint32_t),
INT_BUFSIZE_BOUND(int))], INT_BUFSIZE_BOUND(int))],
@ -2059,6 +2060,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
char chain[MAX_CHAINNAME_LENGTH]; char chain[MAX_CHAINNAME_LENGTH];
virBuffer buf = VIR_BUFFER_INITIALIZER; virBuffer buf = VIR_BUFFER_INITIALIZER;
const char *target; const char *target;
bool hasMask = false;
if (!ebtables_cmd_path) { if (!ebtables_cmd_path) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@ -2262,11 +2264,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
&rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0) &rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0)
goto err_exit; goto err_exit;
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) {
if (printDataType(vars,
ipmask, sizeof(ipmask),
&rule->p.arpHdrFilter.dataARPSrcIPMask) < 0)
goto err_exit;
hasMask = true;
}
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
" %s %s %s", " %s %s %s/%s",
reverse ? "--arp-ip-dst" : "--arp-ip-src", reverse ? "--arp-ip-dst" : "--arp-ip-src",
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr), ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr),
ipaddr); ipaddr,
hasMask ? ipmask : "32");
} }
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) { if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
@ -2275,11 +2286,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
&rule->p.arpHdrFilter.dataARPDstIPAddr) < 0) &rule->p.arpHdrFilter.dataARPDstIPAddr) < 0)
goto err_exit; goto err_exit;
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) {
if (printDataType(vars,
ipmask, sizeof(ipmask),
&rule->p.arpHdrFilter.dataARPDstIPMask) < 0)
goto err_exit;
hasMask = true;
}
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
" %s %s %s", " %s %s %s/%s",
reverse ? "--arp-ip-src" : "--arp-ip-dst", reverse ? "--arp-ip-src" : "--arp-ip-dst",
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr), ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr),
ipaddr); ipaddr,
hasMask ? ipmask : "32");
} }
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) { if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {