This patch implements support for learning a VM's IP address. It uses
the pcap library to listen on the VM's backend network interface (tap)
or the physical ethernet device (macvtap) and tries to capture packets
with source or destination MAC address of the VM and learn from DHCP
Offers, ARP traffic, or first-sent IPv4 packet what the IP address of
the VM's interface is. This then allows to instantiate the network
traffic filtering rules without the user having to provide the IP
parameter somewhere in the filter description or in the interface
description as a parameter. This only supports to detect the parameter
IP, which is for the assumed single IPv4 address of a VM. There is not
support for interfaces that may have multiple IP addresses (IP
aliasing) or IPv6 that may then require more than one valid IP address
to be detected. A VM can have multiple independent interfaces that each
uses a different IP address and in that case it will be attempted to
detect each one of the address independently.
So, when for example an interface description in the domain XML has
looked like this up to now:
<interface type='bridge'>
<source bridge='mybridge'/>
<model type='virtio'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.2.3.4'/>
</filterref>
</interface>
you may omit the IP parameter:
<interface type='bridge'>
<source bridge='mybridge'/>
<model type='virtio'/>
<filterref filter='clean-traffic'/>
</interface>
Internally I am walking the 'tree' of a VM's referenced network filters
and determine with the given variables which variables are missing. Now,
the above IP parameter may be missing and this causes a libvirt-internal
thread to be started that uses the pcap library's API to listen to the
backend interface (in case of macvtap to the physical interface) in an
attempt to determine the missing IP parameter. If the backend interface
disappears the thread terminates assuming the VM was brought down. In
case of a macvtap device a timeout is being used to wait for packets
from the given VM (filtering by VM's interface MAC address). If the VM's
macvtap device disappeared the thread also terminates. In all other
cases it tries to determine the IP address of the VM and will then apply
the rules late on the given interface, which would have happened
immediately if the IP parameter had been explicitly given. In case an
error happens while the firewall rules are applied, the VM's backend
interface is 'down'ed preventing it to communicate. Reasons for failure
for applying the network firewall rules may that an ebtables/iptables
command failes or OOM errors. Essentially the same failure reasons may
occur as when the firewall rules are applied immediately on VM start,
except that due to the late application of the filtering rules the VM
now is already running and cannot be hindered anymore from starting.
Bringing down the whole VM would probably be considered too drastic.
While a VM's IP address is attempted to be determined only limited
updates to network filters are allowed. In particular it is prevented
that filters are modified in such a way that they would introduce new
variables.
A caveat: The algorithm does not know which one is the appropriate IP
address of a VM. If the VM spoofs an IP address in its first ARP traffic
or IPv4 packets its filtering rules will be instantiated for this IP
address, thus 'locking' it to the found IP address. So, it's still
'safer' to explicitly provide the IP address of a VM's interface in the
filter description if it is known beforehand.
* configure.ac: detect libpcap
* libvirt.spec.in: require libpcap[-devel] if qemu is built
* src/internal.h: add the new ATTRIBUTE_PACKED define
* src/Makefile.am src/libvirt_private.syms: add the new modules and symbols
* src/nwfilter/nwfilter_learnipaddr.[ch]: new module being added
* src/nwfilter/nwfilter_driver.c src/conf/nwfilter_conf.[ch]
src/nwfilter/nwfilter_ebiptables_driver.[ch]
src/nwfilter/nwfilter_gentech_driver.[ch]: plu the new functionality in
* tests/nwfilterxml2xmltest: extend testing
virParseVersionString uses virStrToLong_ui instead of sscanf.
This also fixes a bug in the UML driver, that always returned 0
as version number.
Introduce STRSKIP to check if a string has a certain prefix and
to skip this prefix.
Use the new virDomainUpdateDeviceFlags API to allow the VNC password
to be changed on the fly
* src/internal.h: Define STREQ_NULLABLE() which is like STREQ()
but does not crash if either argument is NULL, and treats two
NULLs as equal.
* src/libvirt_private.syms: Export virDomainGraphicsTypeToString
* src/qemu/qemu_driver.c: Support VNC password change on a live
machine
* src/qemu/qemu_monitor.c: Disable crazy debugging info. Treat a
NULL password as "" (empty string), allowing passwords to be
disabled in the monitor
It is a bad idea to call gettext on an already-translated
string. In cases where a string must be translated separately
from where it is exposed to xgettext, the gettext manual
recommends the idiom of N_() wrapping gettext_noop for
marking the string.
* src/internal.h (N_): Fix definition to match gettext manual.
* tools/virsh.c: (cmdHelp, cmdList, cmdDomstate, cmdDominfo)
(cmdVcpuinfo, vshUsage): Replace incorrect use of N_ with _.
(vshCmddefHelp): Likewise. Mark C format strings appropriately.
* src/internal.h (ATTRIBUTE_SENTINEL): New, it's a ggc feature and
protected as such
* src/util/buf.c (virBufferStrcat): Use it.
* src/util/ebtables.c (ebtablesAddRemoveRule): Use it.
* src/util/iptables.c (iptableAddRemoveRule: Use it.
* src/util/qparams.h (new_qparam_set, append_qparams): Use it.
* docs/apibuild.py: avoid breaking the API generator with that new
internal keyword macro
Move the VIR_DRV_FEATURE* constants into libvirt_internal.h
since these flags are indicating whether APIs in the
libvirt_internal.h file are supported by a driver
* src/driver.h: Remove VIR_DRV_FEATURE* constants
* src/libvirt_internal.h: Add VIR_DRV_FEATURE* constants, using
an enum instead of #define
* src/internal.h: pull in libvirt_internal.h
GCC >= 4.4 assumes the 'printf' attribute refers to the native
runtime libraries format specifiers. Thanks to gnulib, libvirt
has GNU format specifiers everywhere. This means we need to
use 'gnu_printf' with GCC >= 4.4 to get correct compiler
checking of printf format specifiers.
* HACKING: Document new rules for ATTRIBUTE_FMT_PRINTF
* autobuild.sh, mingw32-libvirt.spec.in: Disable OpenNebula
driver on mingw32 builds
* qemud/dispatch.h, qemud/qemu.h, src/buf.h src/internal.h,
src/logging.h, src/security.h, src/sexpr.h, src/util.h,
src/virterror_internal.h, src/xend_internal.c: Change
over to ATTRIBUTE_FMT_PRINTF.
* src/virsh.c: Disable 'cd' and 'pwd' commands on Win32
since they don't compile
* src/threads-win32.c: Add missing return value check
* include/libvirt/libvirt.h include/libvirt/libvirt.h.in
src/libvirt.c src/libvirt_sym.version: new libvirt event entry
points, big patch provided by Ben Guthro
* Makefile.am configure.in src/driver.h src/event.c src/event.h
src/internal.h src/libvirt.c src/libvirt_sym.version src/lxc_driver.c
src/openvz_driver.c src/qemu_conf.h src/qemu_driver.c
src/remote_internal.c src/storage_backend_fs.c src/test.c
qemud/event.c qemud/event.h qemud/mdns.c qemud/qemud.c
qemud/qemud.h qemud/remote.c qemud/remote_dispatch_localvars.h
qemud/remote_dispatch_proc_switch.h qemud/remote_dispatch_prototypes.h
qemud/remote_protocol.c qemud/remote_protocol.h
qemud/remote_protocol.x proxy/Makefile.am python/generator.py:
Not much is left untouched by the patch adding the events support
* docs/libvirt-api.xml docs/libvirt-refs.xml
docs/html/libvirt-libvirt.html: regenerated the docs
* examples/domain-events/events-c/Makefile.am
examples/domain-events/events-c/event-test.c: a test example
* AUTHORS: added Ben Guthro
daniel
* include/libvirt/libvirt.h.in: Add VIR_DEPRECATED macro.
* src/internal.h: Internal code is allowed to use deprecated
features, so override VIR_DEPRECATED here.
* include/libvirt/virterror.h: Deprecate the conn, dom and net
fields in the _virError structure.
Mon May 12 23:32:21 PST 2008 David L. Leskovec <dlesko@linux.vnet.ibm.com>
* qemud/qemud.c: get siginfo with signals, distribute to drivers that
register a handler
* src/driver.h: add sighandler function to state driver table
* src/internal.h: define virStateSigDispatcher functions
* src/libvirt.c: add __virStateSigDispatcher function
* src/libvirt_sym.version: add __virStateSigDispatcher
* src/lxc_driver.c: add sig handler function, cleanup vm when sigchld
received from container process
* src/qemu_driver.c: NULL for sig handler (no handler) in state driver
* src/remote_internal.c: NULL for sig handler (no handler) in state driver
* src/storage_driver.c: NULL for sig handler (no handler) in state driver
* configure.in: Fix pkg-config detection of libxml2,
add -lgcrypt to gnutls lib.
* src/Makefile.am: If compiling --without-libvirtd then
don't compile any part of the storage driver.
* configure.in, src/hash.c, src/internal.h: Detect availability
of pthread library and compile out mutex code if not available.
* src/storage_driver.c, src/util.c: Ignore some missing
headers on MinGW.
Done using this command (also includes .c.in and .h.in files):
for i in $(g ls-files|grep -E '\.[ch](\.in)?$'|grep -v gnulib); do
expand -i $i > j && mv j $i;done
* src/hash.c src/internal.h src/virterror.c: remove dandling
domain/net/conn pointers from error data when released.
* src/lxc_driver.c: fix a NULL/0 return error mismatch
Daniel
* src/util.c, src/util.h, src/libvirt_sym.version: Added
virMacAddrCompare utility function for comparing MAC
addresses.
* src/virsh.c, src/xm_internal.c: Use virMacAddrCompare
to compare addresses. (Shigeki Sakamoto and Richard Jones).
* src/internal.h: move xstrol() variants from here ...
* src/util.[ch]: ... to here and rename to virStrToLong()
* src/libvirt_sym.version: export __virStrToLong_i() for
virsh and qemud.
* src/nodeinfo.c, src/stats_linux.c, src/virsh.c,
src/xend_internal.c, qemud/qemud.c: replace xstrtol()
calls with virStrToLong()
* src/nodeinfo.h: don't include internal.h, which was only
needed for xstrtol(), but instead include libvirt.h which
is suffificient for the declarations in the header.
* python/libvir.c, python/libvirt_wrap.h, qemud/qemud.c,
qemud/remote.c, src/internal.h, src/openvz_conf.c,
src/openvz_driver.c, src/proxy_internal.h, src/qemu_conf.c,
src/qemu_driver.c, src/remote_internal.h, src/test.h, src/util.c,
src/xen_unified.c, src/xen_unified.h, tests/nodeinfotest.c,
tests/qemuxml2argvtest.c, tests/qemuxml2xmltest.c, tests/reconnect.c,
tests/sexpr2xmltest.c, tests/virshtest.c, tests/xencapstest.c,
tests/xmconfigtest.c, tests/xml2sexprtest.c:
Change #include <> to #include "" for local includes.
Removed many includes from src/internal.h and put them in
the C files which actually use them.
Removed <ansidecl.h> - unused.
Added a comment around __func__.
Removed a clashing redefinition of VERSION symbol.
All limits (PATH_MAX etc) now done in src/internal.h, so we
don't need to include those headers in other files.
* configure.in, src/internal.h, src/xml.c: <sys/syslimits.h>
is needed on Cygwin to get PATH_MAX. HOST_NAME_MAX and
IF_NAMESIZE defined if not in header files.
* qemud/qemud.c: Replace uses of strtol with uses of xstrtol_i.
Avoid overflow for very large --timeout=N values.
* src/nodeinfo.c: In linuxNodeInfoMemPopulate and
linuxNodeInfoCPUPopulate, use xstrtol_i rather than strtol.
Unlike in qemud.c, here we allow trailing "isspace", and in
the case of "cpuinfo cpu MHz", also allow a "." terminator,
since we ignore the decimal and any following digits.
* src/internal.h: Define xstrtol_ui, too.
Author: Jim Meyering <meyering@redhat.com>