|
|
9119d9 |
From ab2444643bb5f1549a5d089d7988758837dfc96e Mon Sep 17 00:00:00 2001
|
|
|
9119d9 |
Message-Id: <ab2444643bb5f1549a5d089d7988758837dfc96e@dist-git>
|
|
|
9119d9 |
From: Laine Stump <laine@laine.org>
|
|
|
9119d9 |
Date: Mon, 3 Nov 2014 10:00:15 -0500
|
|
|
9119d9 |
Subject: [PATCH] conf: add trustGuestRxFilters attribute to network and domain
|
|
|
9119d9 |
interface
|
|
|
9119d9 |
|
|
|
9119d9 |
https://bugzilla.redhat.com/show_bug.cgi?id=848199
|
|
|
9119d9 |
|
|
|
9119d9 |
This new attribute will control whether or not libvirt will pay
|
|
|
9119d9 |
attention to guest notifications about changes to network device mac
|
|
|
9119d9 |
addresses and receive filters. The default for this is 'no' (for
|
|
|
9119d9 |
security reasons). If it is set to 'yes' *and* the specified device
|
|
|
9119d9 |
model and connection support it (currently only macvtap+virtio) then
|
|
|
9119d9 |
libvirt will watch for NIC_RX_FILTER_CHANGED events, and when it
|
|
|
9119d9 |
receives one, it will issue a query-rx-filter command, retrieve the
|
|
|
9119d9 |
result, and modify the host-side macvtap interface's mac address and
|
|
|
9119d9 |
unicast/multicast filters accordingly.
|
|
|
9119d9 |
|
|
|
9119d9 |
The functionality behind this attribute will be in a later patch. This
|
|
|
9119d9 |
patch merely adds the attribute to the top-level of a domain's
|
|
|
9119d9 |
<interface> as well as to <network> and <portgroup>, and adds
|
|
|
9119d9 |
documentation and schema/xml2xml tests. Rather than adding even more
|
|
|
9119d9 |
test files, I've just added the net attribute in various applicable
|
|
|
9119d9 |
places of existing test files.
|
|
|
9119d9 |
|
|
|
9119d9 |
(cherry picked from commit 07450cd42951d5007ab28d8e522f65d948181674)
|
|
|
9119d9 |
|
|
|
9119d9 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
9119d9 |
---
|
|
|
9119d9 |
docs/formatdomain.html.in | 40 +++++++++++++++++----
|
|
|
9119d9 |
docs/formatnetwork.html.in | 29 +++++++++++++--
|
|
|
9119d9 |
docs/schemas/domaincommon.rng | 5 +++
|
|
|
9119d9 |
docs/schemas/network.rng | 10 ++++++
|
|
|
9119d9 |
src/conf/domain_conf.c | 42 ++++++++++++++++++++++
|
|
|
9119d9 |
src/conf/domain_conf.h | 3 ++
|
|
|
9119d9 |
src/conf/network_conf.c | 36 +++++++++++++++++++
|
|
|
9119d9 |
src/conf/network_conf.h | 2 ++
|
|
|
9119d9 |
src/libvirt_private.syms | 1 +
|
|
|
9119d9 |
tests/networkxml2xmlin/vepa-net.xml | 4 +--
|
|
|
9119d9 |
tests/networkxml2xmlout/vepa-net.xml | 4 +--
|
|
|
9119d9 |
.../qemuxml2argv-net-virtio-network-portgroup.xml | 4 +--
|
|
|
9119d9 |
12 files changed, 164 insertions(+), 16 deletions(-)
|
|
|
9119d9 |
|
|
|
9119d9 |
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
|
|
|
9119d9 |
index e00fe47..80af7fa 100644
|
|
|
9119d9 |
--- a/docs/formatdomain.html.in
|
|
|
9119d9 |
+++ b/docs/formatdomain.html.in
|
|
|
9119d9 |
@@ -3343,10 +3343,9 @@
|
|
|
9119d9 |
|
|
|
9119d9 |
...
|
|
|
9119d9 |
<devices>
|
|
|
9119d9 |
- <interface type='bridge'>
|
|
|
9119d9 |
- <source bridge='xenbr0'/>
|
|
|
9119d9 |
- <mac address='00:16:3e:5d:c7:9e'/>
|
|
|
9119d9 |
- <script path='vif-bridge'/>
|
|
|
9119d9 |
+ <interface type='direct' trustGuestRxFilters='yes'>
|
|
|
9119d9 |
+ <source dev='eth0'/>
|
|
|
9119d9 |
+ <mac address='52:54:00:5d:c7:9e'/>
|
|
|
9119d9 |
<boot order='1'/>
|
|
|
9119d9 |
<rom bar='off'/>
|
|
|
9119d9 |
</interface>
|
|
|
9119d9 |
@@ -3356,8 +3355,23 @@
|
|
|
9119d9 |
|
|
|
9119d9 |
There are several possibilities for specifying a network
|
|
|
9119d9 |
interface visible to the guest. Each subsection below provides
|
|
|
9119d9 |
- more details about common setup options. Additionally,
|
|
|
9119d9 |
- each <interface> element has an
|
|
|
9119d9 |
+ more details about common setup options.
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+ Since 1.2.10),
|
|
|
9119d9 |
+ the interface element
|
|
|
9119d9 |
+ property trustGuestRxFilters provides the
|
|
|
9119d9 |
+ capability for the host to detect and trust reports from the
|
|
|
9119d9 |
+ guest regarding changes to the interface mac address and receive
|
|
|
9119d9 |
+ filters by setting the attribute to yes . The default
|
|
|
9119d9 |
+ setting for the attribute is no for security
|
|
|
9119d9 |
+ reasons and support depends on the guest network device model as
|
|
|
9119d9 |
+ well as the type of connection on the host - currently it is
|
|
|
9119d9 |
+ only supported for the virtio ddevice model and for macvtap
|
|
|
9119d9 |
+ connections on the host.
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+ Each <interface> element has an
|
|
|
9119d9 |
optional <address> sub-element that can tie
|
|
|
9119d9 |
the interface to a particular pci slot, with
|
|
|
9119d9 |
attribute type='pci'
|
|
|
9119d9 |
@@ -3589,6 +3603,18 @@
|
|
|
9119d9 |
being the default mode. The individual modes cause the delivery of
|
|
|
9119d9 |
packets to behave as follows:
|
|
|
9119d9 |
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+ If the model type is set to virtio and
|
|
|
9119d9 |
+ interface's trustGuestRxFilters attribute is set
|
|
|
9119d9 |
+ to yes , changes made to the interface mac address,
|
|
|
9119d9 |
+ unicast/multicast receive filters, and vlan settings in the
|
|
|
9119d9 |
+ guest will be monitored and propagated to the associated macvtap
|
|
|
9119d9 |
+ device on the host (Since
|
|
|
9119d9 |
+ 1.2.10). If trustGuestRxFilters is not set,
|
|
|
9119d9 |
+ or is not supported for the device model in use, an attempted
|
|
|
9119d9 |
+ change to the mac address originating from the guest side will
|
|
|
9119d9 |
+ result in a non-working network connection.
|
|
|
9119d9 |
+
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
vepa
|
|
|
9119d9 |
@@ -3621,7 +3647,7 @@
|
|
|
9119d9 |
...
|
|
|
9119d9 |
<devices>
|
|
|
9119d9 |
...
|
|
|
9119d9 |
- <interface type='direct'>
|
|
|
9119d9 |
+ <interface type='direct' trustGuestRxFilters='no'>
|
|
|
9119d9 |
<source dev='eth0' mode='vepa'/>
|
|
|
9119d9 |
</interface>
|
|
|
9119d9 |
</devices>
|
|
|
9119d9 |
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
|
|
|
9119d9 |
index 1a8ad8e..dc438ae 100644
|
|
|
9119d9 |
--- a/docs/formatnetwork.html.in
|
|
|
9119d9 |
+++ b/docs/formatnetwork.html.in
|
|
|
9119d9 |
@@ -35,7 +35,7 @@
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
- <network ipv6='yes'>
|
|
|
9119d9 |
+ <network ipv6='yes' trustGuestRxFilters='no'>
|
|
|
9119d9 |
<name>default</name>
|
|
|
9119d9 |
<uuid>3e3fce45-4f53-4fa7-bb32-11f34168b82b</uuid>
|
|
|
9119d9 |
...
|
|
|
9119d9 |
@@ -60,6 +60,16 @@
|
|
|
9119d9 |
to have guest-to-guest communications. For further information,
|
|
|
9119d9 |
see the example below for the example with no gateway addresses.
|
|
|
9119d9 |
Since 1.0.1
|
|
|
9119d9 |
+ trustGuestRxFilters='yes'
|
|
|
9119d9 |
+ The optional parameter trustGuestRxFilters can
|
|
|
9119d9 |
+ be used to set that attribute of the same name for each domain
|
|
|
9119d9 |
+ interface connected to this network (since
|
|
|
9119d9 |
+ 1.2.10). See
|
|
|
9119d9 |
+ the Network
|
|
|
9119d9 |
+ interfaces section of the domain XML documentation for
|
|
|
9119d9 |
+ more details. Note that an explicit setting of this attribute
|
|
|
9119d9 |
+ in a portgroup or the individual domain interface will
|
|
|
9119d9 |
+ override the setting in the network.
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
@@ -606,7 +616,7 @@
|
|
|
9119d9 |
<outbound average='1000' peak='5000' burst='5120'/>
|
|
|
9119d9 |
</bandwidth>
|
|
|
9119d9 |
</portgroup>
|
|
|
9119d9 |
- <portgroup name='sales'>
|
|
|
9119d9 |
+ <portgroup name='sales' trustGuestRxFilters='no'>
|
|
|
9119d9 |
<virtualport type='802.1Qbh'>
|
|
|
9119d9 |
<parameters profileid='salestest'/>
|
|
|
9119d9 |
</virtualport>
|
|
|
9119d9 |
@@ -626,7 +636,7 @@
|
|
|
9119d9 |
network can have multiple portgroup elements (and one of those
|
|
|
9119d9 |
can optionally be designated as the 'default' portgroup for the
|
|
|
9119d9 |
network), and each portgroup has a name, as well as various
|
|
|
9119d9 |
- subelements associated with it. The currently supported
|
|
|
9119d9 |
+ attributes and subelements associated with it. The currently supported
|
|
|
9119d9 |
subelements are <bandwidth>
|
|
|
9119d9 |
(described here)
|
|
|
9119d9 |
and <virtualport>
|
|
|
9119d9 |
@@ -650,6 +660,19 @@
|
|
|
9119d9 |
considered an error, and will prevent the interface from
|
|
|
9119d9 |
starting.
|
|
|
9119d9 |
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+ portgroups also support the optional
|
|
|
9119d9 |
+ parameter trustGuestRxFilters which can be used to
|
|
|
9119d9 |
+ set that attribute of the same name for each domain interface
|
|
|
9119d9 |
+ using this portgroup (since
|
|
|
9119d9 |
+ 1.2.10). See
|
|
|
9119d9 |
+ the Network
|
|
|
9119d9 |
+ interfaces section of the domain XML documentation for more
|
|
|
9119d9 |
+ details. Note that an explicit setting of this attribute in the
|
|
|
9119d9 |
+ portgroup overrides the network-wide setting, and an explicit
|
|
|
9119d9 |
+ setting in the individual domain interface will override the
|
|
|
9119d9 |
+ setting in the portgroup.
|
|
|
9119d9 |
+
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
|
|
|
9119d9 |
index 8d96daa..c010c45 100644
|
|
|
9119d9 |
--- a/docs/schemas/domaincommon.rng
|
|
|
9119d9 |
+++ b/docs/schemas/domaincommon.rng
|
|
|
9119d9 |
@@ -2240,6 +2240,11 @@
|
|
|
9119d9 |
</interleave>
|
|
|
9119d9 |
</group>
|
|
|
9119d9 |
</choice>
|
|
|
9119d9 |
+ <optional>
|
|
|
9119d9 |
+ <attribute name="trustGuestRxFilters">
|
|
|
9119d9 |
+ <ref name="virYesNo"/>
|
|
|
9119d9 |
+ </attribute>
|
|
|
9119d9 |
+ </optional>
|
|
|
9119d9 |
</element>
|
|
|
9119d9 |
</define>
|
|
|
9119d9 |
|
|
|
9119d9 |
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
|
|
|
9119d9 |
index d84ccc0..2783f86 100644
|
|
|
9119d9 |
--- a/docs/schemas/network.rng
|
|
|
9119d9 |
+++ b/docs/schemas/network.rng
|
|
|
9119d9 |
@@ -24,6 +24,11 @@
|
|
|
9119d9 |
<ref name="virYesNo"/>
|
|
|
9119d9 |
</attribute>
|
|
|
9119d9 |
</optional>
|
|
|
9119d9 |
+ <optional>
|
|
|
9119d9 |
+ <attribute name="trustGuestRxFilters">
|
|
|
9119d9 |
+ <ref name="virYesNo"/>
|
|
|
9119d9 |
+ </attribute>
|
|
|
9119d9 |
+ </optional>
|
|
|
9119d9 |
<interleave>
|
|
|
9119d9 |
|
|
|
9119d9 |
|
|
|
9119d9 |
@@ -197,6 +202,11 @@
|
|
|
9119d9 |
<ref name="virYesNo"/>
|
|
|
9119d9 |
</attribute>
|
|
|
9119d9 |
</optional>
|
|
|
9119d9 |
+ <optional>
|
|
|
9119d9 |
+ <attribute name="trustGuestRxFilters">
|
|
|
9119d9 |
+ <ref name="virYesNo"/>
|
|
|
9119d9 |
+ </attribute>
|
|
|
9119d9 |
+ </optional>
|
|
|
9119d9 |
<interleave>
|
|
|
9119d9 |
<optional>
|
|
|
9119d9 |
<ref name="virtualPortProfile"/>
|
|
|
9119d9 |
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
|
|
|
9119d9 |
index 58d5b80..8f16d10 100644
|
|
|
9119d9 |
--- a/src/conf/domain_conf.c
|
|
|
9119d9 |
+++ b/src/conf/domain_conf.c
|
|
|
9119d9 |
@@ -6776,6 +6776,7 @@ virDomainActualNetDefParseXML(xmlNodePtr node,
|
|
|
9119d9 |
char *type = NULL;
|
|
|
9119d9 |
char *mode = NULL;
|
|
|
9119d9 |
char *addrtype = NULL;
|
|
|
9119d9 |
+ char *trustGuestRxFilters = NULL;
|
|
|
9119d9 |
|
|
|
9119d9 |
if (VIR_ALLOC(actual) < 0)
|
|
|
9119d9 |
return -1;
|
|
|
9119d9 |
@@ -6803,6 +6804,16 @@ virDomainActualNetDefParseXML(xmlNodePtr node,
|
|
|
9119d9 |
goto error;
|
|
|
9119d9 |
}
|
|
|
9119d9 |
|
|
|
9119d9 |
+ trustGuestRxFilters = virXMLPropString(node, "trustGuestRxFilters");
|
|
|
9119d9 |
+ if (trustGuestRxFilters &&
|
|
|
9119d9 |
+ ((actual->trustGuestRxFilters
|
|
|
9119d9 |
+ = virTristateBoolTypeFromString(trustGuestRxFilters)) <= 0)) {
|
|
|
9119d9 |
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
|
|
9119d9 |
+ _("unknown trustGuestRxFilters value '%s'"),
|
|
|
9119d9 |
+ trustGuestRxFilters);
|
|
|
9119d9 |
+ goto error;
|
|
|
9119d9 |
+ }
|
|
|
9119d9 |
+
|
|
|
9119d9 |
virtPortNode = virXPathNode("./virtualport", ctxt);
|
|
|
9119d9 |
if (virtPortNode) {
|
|
|
9119d9 |
if (actual->type == VIR_DOMAIN_NET_TYPE_BRIDGE ||
|
|
|
9119d9 |
@@ -6898,6 +6909,7 @@ virDomainActualNetDefParseXML(xmlNodePtr node,
|
|
|
9119d9 |
VIR_FREE(type);
|
|
|
9119d9 |
VIR_FREE(mode);
|
|
|
9119d9 |
VIR_FREE(addrtype);
|
|
|
9119d9 |
+ VIR_FREE(trustGuestRxFilters);
|
|
|
9119d9 |
virDomainActualNetDefFree(actual);
|
|
|
9119d9 |
|
|
|
9119d9 |
ctxt->node = save_ctxt;
|
|
|
9119d9 |
@@ -6949,6 +6961,7 @@ virDomainNetDefParseXML(virDomainXMLOptionPtr xmlopt,
|
|
|
9119d9 |
char *vhostuser_mode = NULL;
|
|
|
9119d9 |
char *vhostuser_path = NULL;
|
|
|
9119d9 |
char *vhostuser_type = NULL;
|
|
|
9119d9 |
+ char *trustGuestRxFilters = NULL;
|
|
|
9119d9 |
virNWFilterHashTablePtr filterparams = NULL;
|
|
|
9119d9 |
virDomainActualNetDefPtr actual = NULL;
|
|
|
9119d9 |
xmlNodePtr oldnode = ctxt->node;
|
|
|
9119d9 |
@@ -6970,6 +6983,16 @@ virDomainNetDefParseXML(virDomainXMLOptionPtr xmlopt,
|
|
|
9119d9 |
def->type = VIR_DOMAIN_NET_TYPE_USER;
|
|
|
9119d9 |
}
|
|
|
9119d9 |
|
|
|
9119d9 |
+ trustGuestRxFilters = virXMLPropString(node, "trustGuestRxFilters");
|
|
|
9119d9 |
+ if (trustGuestRxFilters &&
|
|
|
9119d9 |
+ ((def->trustGuestRxFilters
|
|
|
9119d9 |
+ = virTristateBoolTypeFromString(trustGuestRxFilters)) <= 0)) {
|
|
|
9119d9 |
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
|
|
9119d9 |
+ _("unknown trustGuestRxFilters value '%s'"),
|
|
|
9119d9 |
+ trustGuestRxFilters);
|
|
|
9119d9 |
+ goto error;
|
|
|
9119d9 |
+ }
|
|
|
9119d9 |
+
|
|
|
9119d9 |
cur = node->children;
|
|
|
9119d9 |
while (cur != NULL) {
|
|
|
9119d9 |
if (cur->type == XML_ELEMENT_NODE) {
|
|
|
9119d9 |
@@ -7602,6 +7625,7 @@ virDomainNetDefParseXML(virDomainXMLOptionPtr xmlopt,
|
|
|
9119d9 |
VIR_FREE(mode);
|
|
|
9119d9 |
VIR_FREE(linkstate);
|
|
|
9119d9 |
VIR_FREE(addrtype);
|
|
|
9119d9 |
+ VIR_FREE(trustGuestRxFilters);
|
|
|
9119d9 |
virNWFilterHashTableFree(filterparams);
|
|
|
9119d9 |
|
|
|
9119d9 |
return def;
|
|
|
9119d9 |
@@ -16689,6 +16713,9 @@ virDomainActualNetDefFormat(virBufferPtr buf,
|
|
|
9119d9 |
if (hostdef && hostdef->managed)
|
|
|
9119d9 |
virBufferAddLit(buf, " managed='yes'");
|
|
|
9119d9 |
}
|
|
|
9119d9 |
+ if (def->trustGuestRxFilters)
|
|
|
9119d9 |
+ virBufferAsprintf(buf, " trustGuestRxFilters='%s'",
|
|
|
9119d9 |
+ virTristateBoolTypeToString(def->trustGuestRxFilters));
|
|
|
9119d9 |
virBufferAddLit(buf, ">\n");
|
|
|
9119d9 |
|
|
|
9119d9 |
virBufferAdjustIndent(buf, 2);
|
|
|
9119d9 |
@@ -16846,6 +16873,9 @@ virDomainNetDefFormat(virBufferPtr buf,
|
|
|
9119d9 |
virBufferAsprintf(buf, "
|
|
|
9119d9 |
if (hostdef && hostdef->managed)
|
|
|
9119d9 |
virBufferAddLit(buf, " managed='yes'");
|
|
|
9119d9 |
+ if (def->trustGuestRxFilters)
|
|
|
9119d9 |
+ virBufferAsprintf(buf, " trustGuestRxFilters='%s'",
|
|
|
9119d9 |
+ virTristateBoolTypeToString(def->trustGuestRxFilters));
|
|
|
9119d9 |
virBufferAddLit(buf, ">\n");
|
|
|
9119d9 |
|
|
|
9119d9 |
virBufferAdjustIndent(buf, 2);
|
|
|
9119d9 |
@@ -20321,6 +20351,18 @@ virDomainNetGetActualVlan(virDomainNetDefPtr iface)
|
|
|
9119d9 |
return NULL;
|
|
|
9119d9 |
}
|
|
|
9119d9 |
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+bool
|
|
|
9119d9 |
+virDomainNetGetActualTrustGuestRxFilters(virDomainNetDefPtr iface)
|
|
|
9119d9 |
+{
|
|
|
9119d9 |
+ if (iface->type == VIR_DOMAIN_NET_TYPE_NETWORK &&
|
|
|
9119d9 |
+ iface->data.network.actual)
|
|
|
9119d9 |
+ return (iface->data.network.actual->trustGuestRxFilters
|
|
|
9119d9 |
+ == VIR_TRISTATE_BOOL_YES);
|
|
|
9119d9 |
+ return iface->trustGuestRxFilters == VIR_TRISTATE_BOOL_YES;
|
|
|
9119d9 |
+}
|
|
|
9119d9 |
+
|
|
|
9119d9 |
+
|
|
|
9119d9 |
/* Return listens[i] from the appropriate union for the graphics
|
|
|
9119d9 |
* type, or NULL if this is an unsuitable type, or the index is out of
|
|
|
9119d9 |
* bounds. If force0 is TRUE, i == 0, and there is no listen array,
|
|
|
9119d9 |
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
|
|
|
9119d9 |
index 9da6d2d..21d19cf 100644
|
|
|
9119d9 |
--- a/src/conf/domain_conf.h
|
|
|
9119d9 |
+++ b/src/conf/domain_conf.h
|
|
|
9119d9 |
@@ -886,6 +886,7 @@ struct _virDomainActualNetDef {
|
|
|
9119d9 |
virNetDevVPortProfilePtr virtPortProfile;
|
|
|
9119d9 |
virNetDevBandwidthPtr bandwidth;
|
|
|
9119d9 |
virNetDevVlan vlan;
|
|
|
9119d9 |
+ int trustGuestRxFilters; /* enum virTristateBool */
|
|
|
9119d9 |
unsigned int class_id; /* class ID for bandwidth 'floor' */
|
|
|
9119d9 |
};
|
|
|
9119d9 |
|
|
|
9119d9 |
@@ -975,6 +976,7 @@ struct _virDomainNetDef {
|
|
|
9119d9 |
virNWFilterHashTablePtr filterparams;
|
|
|
9119d9 |
virNetDevBandwidthPtr bandwidth;
|
|
|
9119d9 |
virNetDevVlan vlan;
|
|
|
9119d9 |
+ int trustGuestRxFilters; /* enum virTristateBool */
|
|
|
9119d9 |
int linkstate;
|
|
|
9119d9 |
};
|
|
|
9119d9 |
|
|
|
9119d9 |
@@ -2487,6 +2489,7 @@ virDomainNetGetActualVirtPortProfile(virDomainNetDefPtr iface);
|
|
|
9119d9 |
virNetDevBandwidthPtr
|
|
|
9119d9 |
virDomainNetGetActualBandwidth(virDomainNetDefPtr iface);
|
|
|
9119d9 |
virNetDevVlanPtr virDomainNetGetActualVlan(virDomainNetDefPtr iface);
|
|
|
9119d9 |
+bool virDomainNetGetActualTrustGuestRxFilters(virDomainNetDefPtr iface);
|
|
|
9119d9 |
|
|
|
9119d9 |
int virDomainControllerInsert(virDomainDefPtr def,
|
|
|
9119d9 |
virDomainControllerDefPtr controller)
|
|
|
9119d9 |
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
|
|
|
9119d9 |
index 9571ee1..863d0e2 100644
|
|
|
9119d9 |
--- a/src/conf/network_conf.c
|
|
|
9119d9 |
+++ b/src/conf/network_conf.c
|
|
|
9119d9 |
@@ -1615,6 +1615,7 @@ virNetworkPortGroupParseXML(virPortGroupDefPtr def,
|
|
|
9119d9 |
xmlNodePtr vlanNode;
|
|
|
9119d9 |
xmlNodePtr bandwidth_node;
|
|
|
9119d9 |
char *isDefault = NULL;
|
|
|
9119d9 |
+ char *trustGuestRxFilters = NULL;
|
|
|
9119d9 |
|
|
|
9119d9 |
int result = -1;
|
|
|
9119d9 |
|
|
|
9119d9 |
@@ -1632,6 +1633,18 @@ virNetworkPortGroupParseXML(virPortGroupDefPtr def,
|
|
|
9119d9 |
isDefault = virXPathString("string(./@default)", ctxt);
|
|
|
9119d9 |
def->isDefault = isDefault && STRCASEEQ(isDefault, "yes");
|
|
|
9119d9 |
|
|
|
9119d9 |
+ trustGuestRxFilters
|
|
|
9119d9 |
+ = virXPathString("string(./@trustGuestRxFilters)", ctxt);
|
|
|
9119d9 |
+ if (trustGuestRxFilters) {
|
|
|
9119d9 |
+ if ((def->trustGuestRxFilters
|
|
|
9119d9 |
+ = virTristateBoolTypeFromString(trustGuestRxFilters)) <= 0) {
|
|
|
9119d9 |
+ virReportError(VIR_ERR_XML_ERROR,
|
|
|
9119d9 |
+ _("Invalid trustGuestRxFilters setting '%s' "
|
|
|
9119d9 |
+ "in portgroup"), trustGuestRxFilters);
|
|
|
9119d9 |
+ goto cleanup;
|
|
|
9119d9 |
+ }
|
|
|
9119d9 |
+ }
|
|
|
9119d9 |
+
|
|
|
9119d9 |
virtPortNode = virXPathNode("./virtualport", ctxt);
|
|
|
9119d9 |
if (virtPortNode &&
|
|
|
9119d9 |
(!(def->virtPortProfile = virNetDevVPortProfileParse(virtPortNode, 0)))) {
|
|
|
9119d9 |
@@ -1654,6 +1667,7 @@ virNetworkPortGroupParseXML(virPortGroupDefPtr def,
|
|
|
9119d9 |
virPortGroupDefClear(def);
|
|
|
9119d9 |
}
|
|
|
9119d9 |
VIR_FREE(isDefault);
|
|
|
9119d9 |
+ VIR_FREE(trustGuestRxFilters);
|
|
|
9119d9 |
|
|
|
9119d9 |
ctxt->node = save;
|
|
|
9119d9 |
return result;
|
|
|
9119d9 |
@@ -2013,6 +2027,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
|
|
|
9119d9 |
xmlNodePtr virtPortNode = NULL;
|
|
|
9119d9 |
xmlNodePtr forwardNode = NULL;
|
|
|
9119d9 |
char *ipv6nogwStr = NULL;
|
|
|
9119d9 |
+ char *trustGuestRxFilters = NULL;
|
|
|
9119d9 |
xmlNodePtr save = ctxt->node;
|
|
|
9119d9 |
xmlNodePtr bandwidthNode = NULL;
|
|
|
9119d9 |
xmlNodePtr vlanNode;
|
|
|
9119d9 |
@@ -2062,6 +2077,20 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
|
|
|
9119d9 |
VIR_FREE(ipv6nogwStr);
|
|
|
9119d9 |
}
|
|
|
9119d9 |
|
|
|
9119d9 |
+ trustGuestRxFilters
|
|
|
9119d9 |
+ = virXPathString("string(./@trustGuestRxFilters)", ctxt);
|
|
|
9119d9 |
+ if (trustGuestRxFilters) {
|
|
|
9119d9 |
+ if ((def->trustGuestRxFilters
|
|
|
9119d9 |
+ = virTristateBoolTypeFromString(trustGuestRxFilters)) <= 0) {
|
|
|
9119d9 |
+ virReportError(VIR_ERR_XML_ERROR,
|
|
|
9119d9 |
+ _("Invalid trustGuestRxFilters setting '%s' "
|
|
|
9119d9 |
+ "in network '%s'"),
|
|
|
9119d9 |
+ trustGuestRxFilters, def->name);
|
|
|
9119d9 |
+ goto error;
|
|
|
9119d9 |
+ }
|
|
|
9119d9 |
+ VIR_FREE(trustGuestRxFilters);
|
|
|
9119d9 |
+ }
|
|
|
9119d9 |
+
|
|
|
9119d9 |
/* Parse network domain information */
|
|
|
9119d9 |
def->domain = virXPathString("string(./domain[1]/@name)", ctxt);
|
|
|
9119d9 |
|
|
|
9119d9 |
@@ -2295,6 +2324,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
|
|
|
9119d9 |
VIR_FREE(ipNodes);
|
|
|
9119d9 |
VIR_FREE(portGroupNodes);
|
|
|
9119d9 |
VIR_FREE(ipv6nogwStr);
|
|
|
9119d9 |
+ VIR_FREE(trustGuestRxFilters);
|
|
|
9119d9 |
ctxt->node = save;
|
|
|
9119d9 |
return NULL;
|
|
|
9119d9 |
}
|
|
|
9119d9 |
@@ -2589,6 +2619,9 @@ virPortGroupDefFormat(virBufferPtr buf,
|
|
|
9119d9 |
if (def->isDefault) {
|
|
|
9119d9 |
virBufferAddLit(buf, " default='yes'");
|
|
|
9119d9 |
}
|
|
|
9119d9 |
+ if (def->trustGuestRxFilters)
|
|
|
9119d9 |
+ virBufferAsprintf(buf, " trustGuestRxFilters='%s'",
|
|
|
9119d9 |
+ virTristateBoolTypeToString(def->trustGuestRxFilters));
|
|
|
9119d9 |
virBufferAddLit(buf, ">\n");
|
|
|
9119d9 |
virBufferAdjustIndent(buf, 2);
|
|
|
9119d9 |
if (virNetDevVlanFormat(&def->vlan, buf) < 0)
|
|
|
9119d9 |
@@ -2667,6 +2700,9 @@ virNetworkDefFormatBuf(virBufferPtr buf,
|
|
|
9119d9 |
}
|
|
|
9119d9 |
if (def->ipv6nogw)
|
|
|
9119d9 |
virBufferAddLit(buf, " ipv6='yes'");
|
|
|
9119d9 |
+ if (def->trustGuestRxFilters)
|
|
|
9119d9 |
+ virBufferAsprintf(buf, " trustGuestRxFilters='%s'",
|
|
|
9119d9 |
+ virTristateBoolTypeToString(def->trustGuestRxFilters));
|
|
|
9119d9 |
virBufferAddLit(buf, ">\n");
|
|
|
9119d9 |
virBufferAdjustIndent(buf, 2);
|
|
|
9119d9 |
virBufferEscapeString(buf, "<name>%s</name>\n", def->name);
|
|
|
9119d9 |
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
|
|
|
9119d9 |
index 7ed58cd..660cd2d 100644
|
|
|
9119d9 |
--- a/src/conf/network_conf.h
|
|
|
9119d9 |
+++ b/src/conf/network_conf.h
|
|
|
9119d9 |
@@ -219,6 +219,7 @@ struct _virPortGroupDef {
|
|
|
9119d9 |
virNetDevVPortProfilePtr virtPortProfile;
|
|
|
9119d9 |
virNetDevBandwidthPtr bandwidth;
|
|
|
9119d9 |
virNetDevVlan vlan;
|
|
|
9119d9 |
+ int trustGuestRxFilters; /* enum virTristateBool */
|
|
|
9119d9 |
};
|
|
|
9119d9 |
|
|
|
9119d9 |
typedef struct _virNetworkDef virNetworkDef;
|
|
|
9119d9 |
@@ -256,6 +257,7 @@ struct _virNetworkDef {
|
|
|
9119d9 |
virPortGroupDefPtr portGroups;
|
|
|
9119d9 |
virNetDevBandwidthPtr bandwidth;
|
|
|
9119d9 |
virNetDevVlan vlan;
|
|
|
9119d9 |
+ int trustGuestRxFilters; /* enum virTristateBool */
|
|
|
9119d9 |
};
|
|
|
9119d9 |
|
|
|
9119d9 |
typedef struct _virNetworkObj virNetworkObj;
|
|
|
9119d9 |
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
|
|
|
9119d9 |
index 401bbb5..9ec9716 100644
|
|
|
9119d9 |
--- a/src/libvirt_private.syms
|
|
|
9119d9 |
+++ b/src/libvirt_private.syms
|
|
|
9119d9 |
@@ -330,6 +330,7 @@ virDomainNetGetActualBridgeName;
|
|
|
9119d9 |
virDomainNetGetActualDirectDev;
|
|
|
9119d9 |
virDomainNetGetActualDirectMode;
|
|
|
9119d9 |
virDomainNetGetActualHostdev;
|
|
|
9119d9 |
+virDomainNetGetActualTrustGuestRxFilters;
|
|
|
9119d9 |
virDomainNetGetActualType;
|
|
|
9119d9 |
virDomainNetGetActualVirtPortProfile;
|
|
|
9119d9 |
virDomainNetGetActualVlan;
|
|
|
9119d9 |
diff --git a/tests/networkxml2xmlin/vepa-net.xml b/tests/networkxml2xmlin/vepa-net.xml
|
|
|
9119d9 |
index 030c1d1..07c59c5 100644
|
|
|
9119d9 |
--- a/tests/networkxml2xmlin/vepa-net.xml
|
|
|
9119d9 |
+++ b/tests/networkxml2xmlin/vepa-net.xml
|
|
|
9119d9 |
@@ -1,4 +1,4 @@
|
|
|
9119d9 |
-<network>
|
|
|
9119d9 |
+<network trustGuestRxFilters="no">
|
|
|
9119d9 |
<name>vepa-net</name>
|
|
|
9119d9 |
<uuid>81ff0d90-c91e-6742-64da-4a736edb9a8b</uuid>
|
|
|
9119d9 |
<forward mode="vepa">
|
|
|
9119d9 |
@@ -14,7 +14,7 @@
|
|
|
9119d9 |
<parameters typeid="2193047" typeidversion="3"/>
|
|
|
9119d9 |
</virtualport>
|
|
|
9119d9 |
</portgroup>
|
|
|
9119d9 |
- <portgroup name="alice">
|
|
|
9119d9 |
+ <portgroup name="alice" trustGuestRxFilters="yes">
|
|
|
9119d9 |
<virtualport type="802.1Qbg">
|
|
|
9119d9 |
<parameters managerid="13"/>
|
|
|
9119d9 |
</virtualport>
|
|
|
9119d9 |
diff --git a/tests/networkxml2xmlout/vepa-net.xml b/tests/networkxml2xmlout/vepa-net.xml
|
|
|
9119d9 |
index 4d35a8a..b266620 100644
|
|
|
9119d9 |
--- a/tests/networkxml2xmlout/vepa-net.xml
|
|
|
9119d9 |
+++ b/tests/networkxml2xmlout/vepa-net.xml
|
|
|
9119d9 |
@@ -1,4 +1,4 @@
|
|
|
9119d9 |
-<network>
|
|
|
9119d9 |
+<network trustGuestRxFilters='no'>
|
|
|
9119d9 |
<name>vepa-net</name>
|
|
|
9119d9 |
<uuid>81ff0d90-c91e-6742-64da-4a736edb9a8b</uuid>
|
|
|
9119d9 |
<forward dev='eth1' mode='vepa'>
|
|
|
9119d9 |
@@ -14,7 +14,7 @@
|
|
|
9119d9 |
<parameters typeid='2193047' typeidversion='3'/>
|
|
|
9119d9 |
</virtualport>
|
|
|
9119d9 |
</portgroup>
|
|
|
9119d9 |
- <portgroup name='alice'>
|
|
|
9119d9 |
+ <portgroup name='alice' trustGuestRxFilters='yes'>
|
|
|
9119d9 |
<virtualport type='802.1Qbg'>
|
|
|
9119d9 |
<parameters managerid='13'/>
|
|
|
9119d9 |
</virtualport>
|
|
|
9119d9 |
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-net-virtio-network-portgroup.xml b/tests/qemuxml2argvdata/qemuxml2argv-net-virtio-network-portgroup.xml
|
|
|
9119d9 |
index 950a9db..6cba439 100644
|
|
|
9119d9 |
--- a/tests/qemuxml2argvdata/qemuxml2argv-net-virtio-network-portgroup.xml
|
|
|
9119d9 |
+++ b/tests/qemuxml2argvdata/qemuxml2argv-net-virtio-network-portgroup.xml
|
|
|
9119d9 |
@@ -22,7 +22,7 @@
|
|
|
9119d9 |
<controller type='usb' index='0'/>
|
|
|
9119d9 |
<controller type='ide' index='0'/>
|
|
|
9119d9 |
<controller type='pci' index='0' model='pci-root'/>
|
|
|
9119d9 |
- <interface type='network'>
|
|
|
9119d9 |
+ <interface type='network' trustGuestRxFilters='yes'>
|
|
|
9119d9 |
<mac address='00:11:22:33:44:55'/>
|
|
|
9119d9 |
<source network='rednet' portgroup='bob'/>
|
|
|
9119d9 |
<vlan>
|
|
|
9119d9 |
@@ -33,7 +33,7 @@
|
|
|
9119d9 |
</virtualport>
|
|
|
9119d9 |
<model type='virtio'/>
|
|
|
9119d9 |
</interface>
|
|
|
9119d9 |
- <interface type='network'>
|
|
|
9119d9 |
+ <interface type='network' trustGuestRxFilters='no'>
|
|
|
9119d9 |
<mac address='10:11:22:33:44:55'/>
|
|
|
9119d9 |
<source network='blue' portgroup='sam'/>
|
|
|
9119d9 |
<virtualport>
|
|
|
9119d9 |
--
|
|
|
9119d9 |
2.1.3
|
|
|
9119d9 |
|