Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
Go to file
Stefan Berger 3bf24abc8c nwfilter: Support for learning a VM's IP address
This patch implements support for learning a VM's IP address. It uses
the pcap library to listen on the VM's backend network interface (tap)
or the physical ethernet device (macvtap) and tries to capture packets
with source or destination MAC address of the VM and learn from DHCP
Offers, ARP traffic, or first-sent IPv4 packet what the IP address of
the VM's interface is. This then allows to instantiate the network
traffic filtering rules without the user having to provide the IP
parameter somewhere in the filter description or in the interface
description as a parameter. This only supports to detect the parameter
IP, which is for the assumed single IPv4 address of a VM. There is not
support for interfaces that may have multiple  IP addresses (IP
aliasing) or IPv6 that may then require more than one valid IP address
to be detected. A VM can have multiple independent interfaces that each
uses a different IP address and in that case it will be attempted to
detect each one of the address independently.

So, when for example an interface description in the domain XML has
looked like this up to now:

    <interface type='bridge'>
      <source bridge='mybridge'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value='10.2.3.4'/>
      </filterref>
    </interface>

you may omit the IP parameter:

    <interface type='bridge'>
      <source bridge='mybridge'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'/>
    </interface>

Internally I am walking the 'tree' of a VM's referenced network filters
and determine with the given variables which variables are missing. Now,
the above IP parameter may be missing and this causes a libvirt-internal
thread to be started that uses the pcap library's API to listen to the
backend interface  (in case of macvtap to the physical interface) in an
attempt to determine the missing IP parameter. If the backend interface
disappears the thread terminates assuming the VM was brought down. In
case of a macvtap device a timeout is being used to wait for packets
from the given VM (filtering by VM's interface MAC address). If the VM's
macvtap device disappeared the thread also terminates. In all other
cases it tries to determine the IP address of the VM and will then apply
the rules late on the given interface, which would have happened
immediately if the IP parameter had been explicitly given. In case an
error happens while the firewall rules are applied, the VM's backend
interface is 'down'ed preventing it to communicate. Reasons for failure
for applying the network firewall rules may that an ebtables/iptables
command failes or OOM errors. Essentially the same failure reasons may
occur as when the firewall rules are applied immediately on VM start,
except that due to the late application of the filtering rules the VM
now is already running and cannot be hindered anymore from starting.
Bringing down the whole VM would probably be considered too drastic.
While a VM's IP address is attempted to be determined only limited
updates to network filters are allowed. In particular it is prevented
that filters are modified in such a way that they would introduce new
variables.

A caveat: The algorithm does not know which one is the appropriate IP
address of a VM. If the VM spoofs an IP address in its first ARP traffic
or IPv4 packets its filtering rules will be instantiated for this IP
address, thus 'locking' it to the found IP address. So, it's still
'safer' to explicitly provide the IP address of a VM's interface in the
filter description if it is known beforehand.

* configure.ac: detect libpcap
* libvirt.spec.in: require libpcap[-devel] if qemu is built
* src/internal.h: add the new ATTRIBUTE_PACKED define
* src/Makefile.am src/libvirt_private.syms: add the new modules and symbols
* src/nwfilter/nwfilter_learnipaddr.[ch]: new module being added
* src/nwfilter/nwfilter_driver.c src/conf/nwfilter_conf.[ch]
  src/nwfilter/nwfilter_ebiptables_driver.[ch]
  src/nwfilter/nwfilter_gentech_driver.[ch]: plu the new functionality in
* tests/nwfilterxml2xmltest: extend testing
2010-04-07 23:12:21 +02:00
.gnulib@097c9ce08a build: import latest gnulib 2010-04-02 10:18:55 -06:00
build-aux build: update gnulib 2010-03-26 19:16:37 +01:00
daemon Remove unnecessary trailing \n in log messages 2010-04-06 01:41:58 +02:00
docs Fix for nwfilter: Add filter schema for nwfilter XML, extend domain XML schema 2010-04-06 16:40:49 -04:00
examples Improve the apparmor example 2010-04-06 23:01:24 +02:00
include Snapshot API framework. 2010-04-05 10:24:34 -04:00
m4 build: don't use "test cond1 -o cond2": it's not portable 2010-03-25 09:28:24 +01:00
po esx: Mark error messages for translation 2010-04-06 19:24:24 +02:00
proxy Fix linker errors in proxy 2010-03-31 23:21:34 +02:00
python Snapshot API framework. 2010-04-05 10:24:34 -04:00
src nwfilter: Support for learning a VM's IP address 2010-04-07 23:12:21 +02:00
tests nwfilter: Support for learning a VM's IP address 2010-04-07 23:12:21 +02:00
tools Document all options of virsh dumpxml 2010-04-07 21:32:46 +02:00
.gitignore maint: sort .gitignore 2010-02-23 21:32:04 +01:00
.gitmodules make .gnulib a submodule 2009-07-08 16:17:51 +02:00
.hgignore Add qemuhelptest to .*ignore files 2009-06-16 14:06:48 +00:00
.x-sc_avoid_ctype_macros exempt gnulib from ctype-macros prohibition 2008-10-28 17:36:31 +00:00
.x-sc_avoid_if_before_free avoid a "make syntax-check" failure 2009-07-09 20:00:37 +02:00
.x-sc_avoid_write Fully asynchronous monitor I/O processing 2009-11-10 13:27:18 +00:00
.x-sc_m4_quote_check syntax-check: enable more checks 2009-02-03 13:08:36 +00:00
.x-sc_prohibit_asprintf add .x-sc_prohibit_asprintf 2008-12-23 13:40:42 +00:00
.x-sc_prohibit_gethostby Various syntax-check fixes. 2009-10-26 10:34:05 +01:00
.x-sc_prohibit_gethostname Add a new syntax-check rule for gethostname. 2009-10-26 10:34:27 +01:00
.x-sc_prohibit_have_config_h maint: sync from coreutils 2009-01-29 18:06:19 +00:00
.x-sc_prohibit_HAVE_MBRTOWC maint: sync from coreutils 2009-01-29 18:06:19 +00:00
.x-sc_prohibit_nonreentrant Tighten up nonreentrant syntax-check. 2009-10-26 10:33:42 +01:00
.x-sc_prohibit_readlink Add a rule to check for uses of readlink. 2010-01-22 09:42:35 -05:00
.x-sc_prohibit_strcmp exempt gnulib/ from "make syntax-check" strcmp prohibition 2008-05-14 21:18:27 +00:00
.x-sc_prohibit_strcmp_and_strncmp Ignore docs/ directory for strcmp() syntax check 2009-11-23 11:58:13 +00:00
.x-sc_prohibit_strncpy Various syntax-check fixes. 2009-10-26 10:34:05 +01:00
.x-sc_prohibit_VIR_ERR_NO_MEMORY Various syntax-check fixes. 2009-10-26 10:34:05 +01:00
.x-sc_require_config_h Various syntax-check fixes. 2009-10-26 10:34:05 +01:00
.x-sc_require_config_h_first Misc syntax-check fixes 2009-09-21 14:41:47 +01:00
.x-sc_trailing_blank build: exempt *.ico files from the trailing blank check 2008-10-16 13:28:07 +00:00
.x-sc_unmarked_diagnostics build: import latest gnulib 2010-04-02 10:18:55 -06:00
acinclude.m4 maint: show which compiler warning triggered 2010-03-30 11:29:09 -06:00
AUTHORS maint: update AUTHORS 2010-03-31 08:50:42 -06:00
autobuild.sh Enable ESX driver build on Mingw32 2009-07-31 16:15:51 +01:00
autogen.sh build: improve check for out-of-date .gnulib submodule 2010-04-02 15:49:32 -06:00
bootstrap maint: relax git minimum version 2010-02-24 14:29:27 -05:00
bootstrap.conf bootstrap: Enable copy-mode for MinGW builds 2010-03-23 02:12:07 +01:00
cfg.mk build: avoid autogen on 'make clean' 2010-04-06 14:43:47 -06:00
ChangeLog-old generate ChangeLog from git logs into distribution tarball 2009-07-08 16:17:51 +02:00
configure.ac nwfilter: Support for learning a VM's IP address 2010-04-07 23:12:21 +02:00
COPYING.LIB remove all trailing blank lines 2009-07-16 15:06:42 +02:00
HACKING doc: fix typos in hacking.html.in; mark HACKING as read-only 2010-03-09 18:18:20 +01:00
libvirt.pc.in * libvirt.pc.in: applied patch from Daniel Berrange to fix --cflags 2006-03-24 13:18:12 +00:00
libvirt.spec.in nwfilter: Support for learning a VM's IP address 2010-04-07 23:12:21 +02:00
Makefile.am Add some examples filters 2010-03-26 18:01:17 +00:00
Makefile.nonreentrant syntax-check: enable prohibit_nonreentrant 2009-02-05 16:28:41 +00:00
mingw32-libvirt.spec.in Make pki_check.sh into an installed & supported tool 2009-09-21 14:41:46 +01:00
README Correct typos in the documentation (Atsushi SAKAI) 2008-01-24 10:15:13 +00:00
README-hacking maint: relax git minimum version 2010-02-24 14:29:27 -05:00
TODO Remove all trailing blanks; turn on the rule to detect them. 2008-02-05 19:27:37 +00:00

         LibVirt : simple API for virtualization

  Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.

Daniel Veillard <veillard@redhat.com>