[pve-devel] [PATCH 3/3] pve-bridge-fw script and pass fwenable to tap_plug

Alexandre Derumier Tue, 06 May 2014 03:47:22 -0700

-we now use a new pve-bridge-fw script if firewall is enable.

-we also need to pass fwenable value to tap_plug.
(If user change online the vlan, bridge or firewall for the interface)


-we also need to pass vmfw_conf to device hotplug

Signed-off-by: Alexandre Derumier <[email protected]>
---
 Makefile          |    1 +
 PVE/API2/Qemu.pm  |   13 +++++++++----
 PVE/QemuServer.pm |   30 ++++++++++++++++++++----------
 pve-bridge        |    2 +-
 pve-bridge-fw     |   35 +++++++++++++++++++++++++++++++++++
 5 files changed, 66 insertions(+), 15 deletions(-)
 create mode 100755 pve-bridge-fw

diff --git a/Makefile b/Makefile
index 99dc897..535ad92 100644
--- a/Makefile
+++ b/Makefile
@@ -81,6 +81,7 @@ install: ${PKGSOURCES}
        install -D -m 0755 qmupdate ${DESTDIR}${VARLIBDIR}/qmupdate
        install -D -m 0755 qemu.init.d ${DESTDIR}/etc/init.d/${PACKAGE}
        install -m 0755 pve-bridge ${DESTDIR}${VARLIBDIR}/pve-bridge
+       install -m 0755 pve-bridge-fw ${DESTDIR}${VARLIBDIR}/pve-bridge-fw
        install -m 0755 pve-bridgedown ${DESTDIR}${VARLIBDIR}/pve-bridgedown
        install -s -m 0755 vmtar ${DESTDIR}${LIBDIR}
        install -s -m 0755 sparsecp ${DESTDIR}${LIBDIR}
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index e7d49d9..460931c 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -820,7 +820,7 @@ my $vmconfig_update_disk = sub {
 };
 
 my $vmconfig_update_net = sub {
-    my ($rpcenv, $authuser, $conf, $storecfg, $vmid, $opt, $value) = @_;
+    my ($rpcenv, $authuser, $conf, $storecfg, $vmid, $opt, $value, $vmfw_conf) 
= @_;
 
     if ($conf->{$opt} && PVE::QemuServer::check_running($vmid)) {
        my $oldnet = PVE::QemuServer::parse_net($conf->{$opt});
@@ -840,7 +840,11 @@ my $vmconfig_update_net = sub {
 
                if(($newnet->{bridge} ne $oldnet->{bridge}) || ($newnet->{tag} 
ne $oldnet->{tag}) || ($newnet->{firewall} ne $oldnet->{firewall})){
                    eval{PVE::Network::tap_unplug($iface, $oldnet->{bridge}, 
$oldnet->{tag}, $oldnet->{firewall});};
-                   PVE::Network::tap_plug($iface, $newnet->{bridge}, 
$newnet->{tag}, $newnet->{firewall});
+
+                   my $fwenable = $vmfw_conf->{options}->{enable};
+                   $fwenable = $newnet->{firewall} if $fwenable;
+
+                   PVE::Network::tap_plug($iface, $newnet->{bridge}, 
$newnet->{tag}, $fwenable);
                }
 
            }else{
@@ -856,7 +860,7 @@ my $vmconfig_update_net = sub {
 
     my $net = PVE::QemuServer::parse_net($conf->{$opt});
 
-    die "error hotplug $opt" if !PVE::QemuServer::vm_deviceplug($storecfg, 
$conf, $vmid, $opt, $net);
+    die "error hotplug $opt" if !PVE::QemuServer::vm_deviceplug($storecfg, 
$conf, $vmid, $opt, $net, $vmfw_conf);
 };
 
 # POST/PUT {vmid}/config implementation
@@ -945,6 +949,7 @@ my $update_vm_api  = sub {
     my $updatefn =  sub {
 
        my $conf = PVE::QemuServer::load_config($vmid);
+       my $vmfw_conf = PVE::Firewall::load_vmfw_conf($vmid);
 
        die "checksum missmatch (file change by other user?)\n"
            if $digest && $digest ne $conf->{digest};
@@ -986,7 +991,7 @@ my $update_vm_api  = sub {
                } elsif ($opt =~ m/^net(\d+)$/) { #nics
 
                    &$vmconfig_update_net($rpcenv, $authuser, $conf, $storecfg, 
$vmid,
-                                         $opt, $param->{$opt});
+                                         $opt, $param->{$opt}, $vmfw_conf);
 
                } else {
 
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 4f93f34..765c8be 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -30,6 +30,7 @@ use PVE::ProcFSTools;
 use PVE::QMPClient;
 use PVE::RPCEnvironment;
 use Time::HiRes qw(gettimeofday);
+use PVE::Firewall;
 
 my $cpuinfo = PVE::ProcFSTools::read_cpuinfo();
 
@@ -1181,7 +1182,7 @@ sub print_netdevice_full {
 }
 
 sub print_netdev_full {
-    my ($vmid, $conf, $net, $netid) = @_;
+    my ($vmid, $conf, $net, $netid, $vmfw_conf) = @_;
 
     my $i = '';
     if ($netid =~ m/^net(\d+)$/) {
@@ -1202,7 +1203,14 @@ sub print_netdev_full {
     my $vmname = $conf->{name} || "vm$vmid";
 
     if ($net->{bridge}) {
-        return 
"type=tap,id=$netid,ifname=${ifname},script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown$vhostparam";
+
+       my $fwenable = $vmfw_conf->{options}->{enable};
+       $fwenable = $net->{firewall} if $fwenable;
+
+       my $bridgescript = "pve-bridge";
+       $bridgescript .= "-fw" if $fwenable;
+
+        return 
"type=tap,id=$netid,ifname=${ifname},script=/var/lib/qemu-server/$bridgescript,downscript=/var/lib/qemu-server/pve-bridgedown$vhostparam";
     } else {
         return "type=user,id=$netid,hostname=$vmname";
     }
@@ -2282,7 +2290,7 @@ sub vga_conf_has_spice {
 }
 
 sub config_to_command {
-    my ($storecfg, $vmid, $conf, $defaults, $forcemachine) = @_;
+    my ($storecfg, $vmid, $conf, $defaults, $forcemachine, $vmfw_conf) = @_;
 
     my $cmd = [];
     my $globalFlags = [];
@@ -2631,7 +2639,7 @@ sub config_to_command {
             $bootindex_hash->{n} += 1;
          }
 
-         my $netdevfull = print_netdev_full($vmid,$conf,$d,"net$i");
+         my $netdevfull = print_netdev_full($vmid,$conf,$d,"net$i", 
$vmfw_conf);
          push @$devices, '-netdev', $netdevfull;
 
          my $netdevicefull = 
print_netdevice_full($vmid,$conf,$d,"net$i",$bridges);
@@ -2720,7 +2728,7 @@ sub vm_devices_list {
 }
 
 sub vm_deviceplug {
-    my ($storecfg, $conf, $vmid, $deviceid, $device) = @_;
+    my ($storecfg, $conf, $vmid, $deviceid, $device, $vmfw_conf) = @_;
 
     return 1 if !check_running($vmid);
 
@@ -2767,7 +2775,7 @@ sub vm_deviceplug {
     }
 
     if ($deviceid =~ m/^(net)(\d+)$/) {
-        return undef if !qemu_netdevadd($vmid, $conf, $device, $deviceid);
+        return undef if !qemu_netdevadd($vmid, $conf, $device, $deviceid, 
$vmfw_conf);
         my $netdevicefull = print_netdevice_full($vmid, $conf, $device, 
$deviceid);
         qemu_deviceadd($vmid, $netdevicefull);
         if(!qemu_deviceaddverify($vmid, $deviceid)) {
@@ -2933,9 +2941,9 @@ sub qemu_bridgeadd {
 }
 
 sub qemu_netdevadd {
-    my ($vmid, $conf, $device, $deviceid) = @_;
+    my ($vmid, $conf, $device, $deviceid, $vmfw_conf) = @_;
 
-    my $netdev = print_netdev_full($vmid, $conf, $device, $deviceid);
+    my $netdev = print_netdev_full($vmid, $conf, $device, $deviceid, 
$vmfw_conf);
     my %options =  split(/[=,]/, $netdev);
 
     vm_mon_cmd($vmid, "netdev_add",  %options);
@@ -3168,6 +3176,7 @@ sub vm_start {
 
     lock_config($vmid, sub {
        my $conf = load_config($vmid, $migratedfrom);
+       my $vmfw_conf = PVE::Firewall::load_vmfw_conf($vmid);
 
        die "you can't start a vm if it's a template\n" if is_template($conf);
 
@@ -3180,7 +3189,7 @@ sub vm_start {
        # set environment variable useful inside network script
        $ENV{PVE_MIGRATED_FROM} = $migratedfrom if $migratedfrom;
 
-       my ($cmd, $vollist, $spice_port) = config_to_command($storecfg, $vmid, 
$conf, $defaults, $forcemachine);
+       my ($cmd, $vollist, $spice_port) = config_to_command($storecfg, $vmid, 
$conf, $defaults, $forcemachine, $vmfw_conf);
 
        my $migrate_port = 0;
        my $migrate_uri;
@@ -3322,10 +3331,11 @@ sub vm_commandline {
     my ($storecfg, $vmid) = @_;
 
     my $conf = load_config($vmid);
+    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($vmid);
 
     my $defaults = load_defaults();
 
-    my $cmd = config_to_command($storecfg, $vmid, $conf, $defaults);
+    my $cmd = config_to_command($storecfg, $vmid, $conf, $defaults, 
$vmfw_conf);
 
     return join(' ', @$cmd);
 }
diff --git a/pve-bridge b/pve-bridge
index d6c5eb8..81ad5f4 100755
--- a/pve-bridge
+++ b/pve-bridge
@@ -30,6 +30,6 @@ PVE::Network::tap_create($iface, $net->{bridge});
 
 PVE::Network::tap_rate_limit($iface, $net->{rate}) if $net->{rate};
 
-PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, $net->{firewall});
+PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag});
 
 exit 0;
diff --git a/pve-bridge-fw b/pve-bridge-fw
new file mode 100755
index 0000000..f5a6228
--- /dev/null
+++ b/pve-bridge-fw
@@ -0,0 +1,35 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use PVE::QemuServer;
+use PVE::Tools qw(run_command);
+use PVE::Network;
+
+my $iface = shift;
+
+die "no interface specified\n" if !$iface;
+
+die "got strange interface name '$iface'\n" 
+    if $iface !~ m/^tap(\d+)i(\d+)$/;
+
+my $vmid = $1;
+my $netid = "net$2";
+
+my $migratedfrom = $ENV{PVE_MIGRATED_FROM};
+
+my $conf = PVE::QemuServer::load_config($vmid, $migratedfrom);
+
+die "unable to get network config '$netid'\n"
+    if !$conf->{$netid};
+
+my $net = PVE::QemuServer::parse_net($conf->{$netid});
+die "unable to parse network config '$netid'\n" if !$net;
+
+PVE::Network::tap_create($iface, $net->{bridge});
+
+PVE::Network::tap_rate_limit($iface, $net->{rate}) if $net->{rate};
+
+PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, 1);
+
+exit 0;
-- 
1.7.10.4

_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH 3/3] pve-bridge-fw script and pass fwenable to tap_plug

Reply via email to