Moti Asayag has uploaded a new change for review. Change subject: core: Add Network Filtering rules to VMs (#809814) ......................................................................
core: Add Network Filtering rules to VMs (#809814) https://bugzilla.redhat.com/809814 The patch introduces the Network Filtering feature. The feature is enabled for 3.2 compatible cluster level. If the feature is enabled, the engine dictates libvirt via VDSM to add a network filter rule to prevent VM mac spoofing. Feature page: http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering Change-Id: I5776ea730ef1733fe4f9efe852c07053573dc5ba Signed-off-by: Moti Asayag <masa...@redhat.com> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/HotPlugUnplugVmNicCommand.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/vdscommands/HotPlugUnplgNicVDSParameters.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/HotPlugNicVDSCommand.java A backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/NetworkFilters.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VdsProperties.java M backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VmInfoBuilder.java 7 files changed, 65 insertions(+), 10 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/56/7356/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java index 5cc2eea..762b397 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmInterfaceCommand.java @@ -92,7 +92,7 @@ } else { return runVdsCommand(VDSCommandType.HotPlugNic, new HotPlugUnplgNicVDSParameters(vmDynamic.getrun_on_vds().getValue(), - vmDynamic.getId(), + getVm(), getParameters().getInterface(), vmDevice)).getSucceeded(); } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/HotPlugUnplugVmNicCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/HotPlugUnplugVmNicCommand.java index a7dc221..f0d8132 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/HotPlugUnplugVmNicCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/HotPlugUnplugVmNicCommand.java @@ -58,7 +58,7 @@ if (VmHandler.isHotPlugNicAllowedForVmStatus(getVm().getstatus())) { runVdsCommand(getParameters().getAction().getCommandType(), new HotPlugUnplgNicVDSParameters(getVm().getrun_on_vds().getValue(), - getVm().getId(), + getVm(), DbFacade.getInstance().getVmNetworkInterfaceDAO().get(getParameters().getNicId()), vmDevice)); } diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/vdscommands/HotPlugUnplgNicVDSParameters.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/vdscommands/HotPlugUnplgNicVDSParameters.java index 1f01599..6beec74 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/vdscommands/HotPlugUnplgNicVDSParameters.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/vdscommands/HotPlugUnplgNicVDSParameters.java @@ -1,20 +1,24 @@ package org.ovirt.engine.core.common.vdscommands; +import org.ovirt.engine.core.common.businessentities.VM; import org.ovirt.engine.core.common.businessentities.VmDevice; import org.ovirt.engine.core.common.businessentities.VmNetworkInterface; import org.ovirt.engine.core.compat.Guid; +import org.ovirt.engine.core.compat.Version; public class HotPlugUnplgNicVDSParameters extends VdsIdVDSCommandParametersBase { private final Guid vmId; private final VmNetworkInterface nic; private final VmDevice vmDevice; + private final Version clusterVersion; - public HotPlugUnplgNicVDSParameters(Guid vdsId, Guid vmId, VmNetworkInterface nic, VmDevice vmDevice) { + public HotPlugUnplgNicVDSParameters(Guid vdsId, VM vm, VmNetworkInterface nic, VmDevice vmDevice) { super(vdsId); - this.vmId = vmId; + this.vmId = vm.getId(); this.nic = nic; this.vmDevice = vmDevice; + this.clusterVersion = vm.getvds_group_compatibility_version(); } public Guid getVmId() { @@ -29,4 +33,8 @@ return vmDevice; } + public Version getClusterVersion(){ + return clusterVersion; + } + } diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/HotPlugNicVDSCommand.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/HotPlugNicVDSCommand.java index 270fb21..6e9c0cb 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/HotPlugNicVDSCommand.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/HotPlugNicVDSCommand.java @@ -42,6 +42,8 @@ if (vmDevice.getBootOrder() > 0) { map.add("bootOrder", String.valueOf(vmDevice.getBootOrder())); } + VmInfoBuilder.addNetworkFiltersToNic(map, getParameters().getClusterVersion()); + return map; } diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/NetworkFilters.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/NetworkFilters.java new file mode 100644 index 0000000..2ff4a9e --- /dev/null +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/NetworkFilters.java @@ -0,0 +1,18 @@ +package org.ovirt.engine.core.vdsbroker.vdsbroker; + +/** + * The network filters defined by VDSM to be applied for the VM network interfaces. + */ +public enum NetworkFilters { + VDSM_NO_MAC_SPOOFING("vdsm-no-mac-spoofing"); + + private String filterName; + + private NetworkFilters(String filterName) { + this.filterName = filterName; + } + + public String getFilterName() { + return filterName; + } +} diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VdsProperties.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VdsProperties.java index 17d8f88..b6cd092 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VdsProperties.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VdsProperties.java @@ -142,6 +142,7 @@ public static final String nic_type = "nicModel"; public static final String portMirroring = "portMirroring"; public static final String bridge = "bridge"; + public static final String FILTERS = "filters"; public static final String num_of_monitors = "spiceMonitors"; public static final String num_of_cpus = "smp"; public static final String cores_per_socket = "smpCoresPerSocket"; diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VmInfoBuilder.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VmInfoBuilder.java index fb10e46..a6e56e1 100644 --- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VmInfoBuilder.java +++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/VmInfoBuilder.java @@ -30,6 +30,7 @@ import org.ovirt.engine.core.common.utils.VmDeviceCommonUtils; import org.ovirt.engine.core.common.utils.VmDeviceType; import org.ovirt.engine.core.compat.Guid; +import org.ovirt.engine.core.compat.Version; import org.ovirt.engine.core.dal.dbbroker.DbFacade; import org.ovirt.engine.core.vdsbroker.xmlrpc.XmlRpcStringUtils; import org.ovirt.engine.core.vdsbroker.xmlrpc.XmlRpcStruct; @@ -317,22 +318,38 @@ if (ifaceType == VmInterfaceType.rtl8139_pv) { if (!useRtl8139_pv) { if (vm.getHasAgent()) { - addNetworkInterfaceProperties(struct, vmInterface, vmDevice, VmInterfaceType.pv.name()); + addNetworkInterfaceProperties(struct, + vmInterface, + vmDevice, + VmInterfaceType.pv.name(), + vm.getvds_group_compatibility_version()); } else { - addNetworkInterfaceProperties(struct, vmInterface, vmDevice, VmInterfaceType.rtl8139.name()); + addNetworkInterfaceProperties(struct, + vmInterface, + vmDevice, + VmInterfaceType.rtl8139.name(), + vm.getvds_group_compatibility_version()); } } else { - addNetworkInterfaceProperties(struct, vmInterface, vmDevice, VmInterfaceType.pv.name()); + addNetworkInterfaceProperties(struct, + vmInterface, + vmDevice, + VmInterfaceType.pv.name(), + vm.getvds_group_compatibility_version()); // Doual Mode: in this case we have to insert 2 interfaces with the same entries except nicModel XmlRpcStruct rtl8139Struct = new XmlRpcStruct(); addNetworkInterfaceProperties(rtl8139Struct, vmInterface, vmDevice, - VmInterfaceType.rtl8139.name()); + VmInterfaceType.rtl8139.name(), vm.getvds_group_compatibility_version()); devices.add(rtl8139Struct); } } else { - addNetworkInterfaceProperties(struct, vmInterface, vmDevice, ifaceType.toString()); + addNetworkInterfaceProperties(struct, + vmInterface, + vmDevice, + ifaceType.toString(), + vm.getvds_group_compatibility_version()); } devices.add(struct); addToManagedDevices(vmDevice); @@ -461,7 +478,7 @@ private static void addNetworkInterfaceProperties(XmlRpcStruct struct, VmNetworkInterface vmInterface, VmDevice vmDevice, - String nicModel) { + String nicModel, Version clusterVersion) { struct.add(VdsProperties.Type, vmDevice.getType()); struct.add(VdsProperties.Device, vmDevice.getDevice()); struct.add(VdsProperties.network, vmInterface.getNetworkName()); @@ -476,6 +493,15 @@ networks.add(vmInterface.getNetworkName()); struct.add(VdsProperties.portMirroring, networks); } + + addNetworkFiltersToNic(struct, clusterVersion); + } + + public static void addNetworkFiltersToNic(XmlRpcStruct struct, Version clusterVersion) { + if (Config.<Boolean> GetValue(ConfigValues.EnableMACAntiSpoofingFilterRules, clusterVersion.getValue())) { + List<String> filters = Collections.singletonList(NetworkFilters.VDSM_NO_MAC_SPOOFING.getFilterName()); + struct.add(VdsProperties.FILTERS, filters); + } } private static void addFloppyDetails(VmDevice vmDevice, XmlRpcStruct struct) { -- To view, visit http://gerrit.ovirt.org/7356 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5776ea730ef1733fe4f9efe852c07053573dc5ba Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Moti Asayag <masa...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
