With hunks borrowed from one of David Steven's previous patches, we now
add the capability of having a 'mac' chain which is useful to filter
for multiple valid MAC addresses.
Signed-off-by: David L Stevens dlstev...@us.ibm.com
Signed-off-by: Stefan Berger stef...@linux.vnet.ibm.com
---
docs/schemas/nwfilter.rng |3 +++
src/conf/nwfilter_conf.c |2 ++
src/conf/nwfilter_conf.h |2 ++
src/nwfilter/nwfilter_ebiptables_driver.c | 16 ++--
4 files changed, 21 insertions(+), 2 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -177,6 +177,7 @@ enum l3_proto_idx {
L3_PROTO_IPV6_IDX,
L3_PROTO_ARP_IDX,
L3_PROTO_RARP_IDX,
+L2_PROTO_MAC_IDX,
L2_PROTO_VLAN_IDX,
L3_PROTO_LAST_IDX
};
@@ -189,6 +190,7 @@ static const struct ushort_map l3_protoc
USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP , arp),
USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, rarp),
USHORTMAP_ENTRY_IDX(L2_PROTO_VLAN_IDX, ETHERTYPE_VLAN , vlan),
+USHORTMAP_ENTRY_IDX(L2_PROTO_MAC_IDX, 0 , mac),
USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0 , NULL),
};
@@ -2905,11 +2907,21 @@ ebtablesCreateTmpSubChain(ebiptablesRule
char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP;
+char protostr[16] = { 0, };
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname,
(filtername) ? filtername : l3_protocols[protoidx].val);
+switch (protoidx) {
+case L2_PROTO_MAC_IDX:
+break;
+default:
+snprintf(protostr, sizeof(protostr), -p 0x%04x ,
+ l3_protocols[protoidx].attr);
+break;
+}
+
virBufferAsprintf(buf,
CMD_DEF(%s -t %s -F %s) CMD_SEPARATOR
CMD_EXEC
@@ -2918,7 +2930,7 @@ ebtablesCreateTmpSubChain(ebiptablesRule
CMD_DEF(%s -t %s -N %s) CMD_SEPARATOR
CMD_EXEC
%s
- CMD_DEF(%s -t %s -%%c %s %%s -p 0x%x -j %s)
+ CMD_DEF(%s -t %s -%%c %s %%s %s -j %s)
CMD_SEPARATOR
CMD_EXEC
%s,
@@ -2930,7 +2942,7 @@ ebtablesCreateTmpSubChain(ebiptablesRule
CMD_STOPONERR(stopOnError),
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
- rootchain, l3_protocols[protoidx].attr, chain,
+ rootchain, protostr, chain,
CMD_STOPONERR(stopOnError));
Index: libvirt-acl/src/conf/nwfilter_conf.c
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -82,6 +82,7 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable,
VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
root,
+ mac,
vlan,
arp,
rarp,
@@ -128,6 +129,7 @@ struct int_map {
static const struct int_map chain_priorities[] = {
INTMAP_ENTRY(NWFILTER_ROOT_FILTER_PRI, root),
+INTMAP_ENTRY(NWFILTER_MAC_FILTER_PRI, mac),
INTMAP_ENTRY(NWFILTER_VLAN_FILTER_PRI, vlan),
INTMAP_ENTRY(NWFILTER_IPV4_FILTER_PRI, ipv4),
INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, ipv6),
Index: libvirt-acl/src/conf/nwfilter_conf.h
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -378,6 +378,7 @@ enum virNWFilterEbtablesTableType {
# define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY
# define NWFILTER_ROOT_FILTER_PRI 0
+# define NWFILTER_MAC_FILTER_PRI -800
# define NWFILTER_VLAN_FILTER_PRI -750
# define NWFILTER_IPV4_FILTER_PRI -700
# define NWFILTER_IPV6_FILTER_PRI -600
@@ -456,6 +457,7 @@ struct _virNWFilterEntry {
enum virNWFilterChainSuffixType {
VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
+VIR_NWFILTER_CHAINSUFFIX_MAC,
VIR_NWFILTER_CHAINSUFFIX_VLAN,
VIR_NWFILTER_CHAINSUFFIX_ARP,
VIR_NWFILTER_CHAINSUFFIX_RARP,
Index: libvirt-acl/docs/schemas/nwfilter.rng
===
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -297,6 +297,9 @@
choice
valueroot/value
data type=string
+param name=patternmac[a-zA-Z0-9_\.:-]*/param
+ /data
+ data type=string
param