diff options
| author |   Stefan Berger <stefanb@linux.vnet.ibm.com> | 2012-05-21 06:26:34 -0400 |
|---|---|---|
| committer |   Stefan Berger <stefanb@us.ibm.com> | 2012-05-21 06:26:34 -0400 |
| commit | a3f3ab4c9cd54b07b271233928663d55dc52602f (patch) | |
| tree | 1c144a9ade52fba160943265660206ea81174777 /src/conf/nwfilter_conf.h | |
| parent | build: fix virnetlink on glibc 2.11 (diff) | |
| download | libvirt-a3f3ab4c9cd54b07b271233928663d55dc52602f.tar.gz libvirt-a3f3ab4c9cd54b07b271233928663d55dc52602f.tar.bz2 libvirt-a3f3ab4c9cd54b07b271233928663d55dc52602f.zip | |
nwfilter: Add support for ipset
This patch adds support for the recent ipset iptables extension
to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets'
of IP addresses, ports and other packet parameters and allows for
faster lookup (in the order of O(1) vs. O(n)) and rule evaluation
to achieve higher throughput than what can be achieved with
individual iptables rules.
On the command line iptables supports ipset using
iptables ... -m set --match-set <ipset name> <flags> -j ...
where 'ipset name' is the name of a previously created ipset and
flags is a comma-separated list of up to 6 flags. Flags use 'src' and 'dst'
for selecting IP addresses, ports etc. from the source or
destination part of a packet. So a concrete example may look like this:
iptables -A INPUT -m set --match-set test src,src -j ACCEPT
Since ipset management is quite complex, the idea was to leave ipset
management outside of libvirt but still allow users to reference an ipset.
The user would have to make sure the ipset is available once the VM is
started so that the iptables rule(s) referencing the ipset can be created.
Using XML to describe an ipset in an nwfilter rule would then look as
follows:
<rule action='accept' direction='in'>
<all ipset='test' ipsetflags='src,src'/>
</rule>
The two parameters on the command line are also the two distinct XML attributes
'ipset' and 'ipsetflags'.
FYI: Here is the man page for ipset:
https://ipset.netfilter.org/ipset.man.html
Regards,
Stefan
Diffstat (limited to 'src/conf/nwfilter_conf.h')
| -rw-r--r-- | src/conf/nwfilter_conf.h | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index a9a55c7e6..a52826d2c 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -79,6 +79,7 @@ enum virNWFilterEntryItemFlags { # define MAX_COMMENT_LENGTH 256 +# define MAX_IPSET_NAME_LENGTH 32 /* incl. terminating '\0' */ # define HAS_ENTRY_ITEM(data) \ (((data)->flags) & NWFILTER_ENTRY_ITEM_FLAG_EXISTS) @@ -103,8 +104,10 @@ enum attrDatatype { DATATYPE_BOOLEAN = (1 << 12), DATATYPE_UINT32 = (1 << 13), DATATYPE_UINT32_HEX = (1 << 14), + DATATYPE_IPSETNAME = (1 << 15), + DATATYPE_IPSETFLAGS = (1 << 16), - DATATYPE_LAST = (1 << 15), + DATATYPE_LAST = (1 << 17), }; # define NWFILTER_MAC_BGA "01:80:c2:00:00:00" @@ -136,9 +139,16 @@ struct _nwItemDesc { uint8_t mask; uint8_t flags; } tcpFlags; + struct { + char setname[MAX_IPSET_NAME_LENGTH]; + uint8_t numFlags; + uint8_t flags; + } ipset; } u; }; +# define VALID_IPSETNAME \ + "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.:-+ " typedef struct _ethHdrDataDef ethHdrDataDef; typedef ethHdrDataDef *ethHdrDataDefPtr; @@ -232,6 +242,8 @@ struct _ipHdrDataDef { nwItemDesc dataState; nwItemDesc dataConnlimitAbove; nwItemDesc dataComment; + nwItemDesc dataIPSet; + nwItemDesc dataIPSetFlags; }; |