[pve-devel] [PATCH 3/3] pve-bridge-fw script and pass fwenable to tap_plug

Tue May 6 11:46:57 CEST 2014

-we now use a new pve-bridge-fw script if firewall is enable.

-we also need to pass fwenable value to tap_plug.
(If user change online the vlan, bridge or firewall for the interface)

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 Makefile          |    1 +
 PVE/API2/Qemu.pm  |    8 +++++++-
 PVE/QemuServer.pm |   11 ++++++++++-
 pve-bridge        |    2 +-
 pve-bridge-fw     |   35 +++++++++++++++++++++++++++++++++++
 5 files changed, 54 insertions(+), 3 deletions(-)
 create mode 100755 pve-bridge-fw

diff --git a/Makefile b/Makefile
index 57ab8ee..fdd49b1 100644
--- a/Makefile
+++ b/Makefile
@@ -81,6 +81,7 @@ install: ${PKGSOURCES}
 	install -D -m 0755 qmupdate ${DESTDIR}${VARLIBDIR}/qmupdate
 	install -D -m 0755 qemu.init.d ${DESTDIR}/etc/init.d/${PACKAGE}
 	install -m 0755 pve-bridge ${DESTDIR}${VARLIBDIR}/pve-bridge
+	install -m 0755 pve-bridge-fw ${DESTDIR}${VARLIBDIR}/pve-bridge-fw
 	install -m 0755 pve-bridgedown ${DESTDIR}${VARLIBDIR}/pve-bridgedown
 	install -s -m 0755 vmtar ${DESTDIR}${LIBDIR}
 	install -s -m 0755 sparsecp ${DESTDIR}${LIBDIR}
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 829f07f..cd34704 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -18,6 +18,7 @@ use PVE::RPCEnvironment;
 use PVE::AccessControl;
 use PVE::INotify;
 use PVE::Network;
+use PVE::Firewall;
 
 use Data::Dumper; # fixme: remove
 
@@ -833,7 +834,12 @@ my $vmconfig_update_net = sub {
 
 		if(($newnet->{bridge} ne $oldnet->{bridge}) || ($newnet->{tag} ne $oldnet->{tag}) || ($newnet->{firewall} ne $oldnet->{firewall})){
 		    eval{PVE::Network::tap_unplug($iface, $oldnet->{bridge}, $oldnet->{tag}, $oldnet->{firewall});};
-		    PVE::Network::tap_plug($iface, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall});
+
+		    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($vmid);
+		    my $fwenable = $vmfw_conf->{options}->{enable};
+		    $fwenable = $newnet->{firewall} if $fwenable;
+
+		    PVE::Network::tap_plug($iface, $newnet->{bridge}, $newnet->{tag}, $fwenable);
 		}
 
 	    }else{
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 4f93f34..9c29ce0 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -30,6 +30,7 @@ use PVE::ProcFSTools;
 use PVE::QMPClient;
 use PVE::RPCEnvironment;
 use Time::HiRes qw(gettimeofday);
+use PVE::Firewall;
 
 my $cpuinfo = PVE::ProcFSTools::read_cpuinfo();
 
@@ -1202,7 +1203,15 @@ sub print_netdev_full {
     my $vmname = $conf->{name} || "vm$vmid";
 
     if ($net->{bridge}) {
-        return "type=tap,id=$netid,ifname=${ifname},script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown$vhostparam";
+
+	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($vmid);
+	my $fwenable = $vmfw_conf->{options}->{enable};
+	$fwenable = $net->{firewall} if $fwenable;
+
+	my $bridgescript = "pve-bridge";
+	$bridgescript .= "-fw" if $fwenable;
+
+        return "type=tap,id=$netid,ifname=${ifname},script=/var/lib/qemu-server/$bridgescript,downscript=/var/lib/qemu-server/pve-bridgedown$vhostparam";
     } else {
         return "type=user,id=$netid,hostname=$vmname";
     }
diff --git a/pve-bridge b/pve-bridge
index d6c5eb8..81ad5f4 100755
--- a/pve-bridge
+++ b/pve-bridge
@@ -30,6 +30,6 @@ PVE::Network::tap_create($iface, $net->{bridge});
 
 PVE::Network::tap_rate_limit($iface, $net->{rate}) if $net->{rate};
 
-PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, $net->{firewall});
+PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag});
 
 exit 0;
diff --git a/pve-bridge-fw b/pve-bridge-fw
new file mode 100755
index 0000000..f5a6228
--- /dev/null
+++ b/pve-bridge-fw
@@ -0,0 +1,35 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use PVE::QemuServer;
+use PVE::Tools qw(run_command);
+use PVE::Network;
+
+my $iface = shift;
+
+die "no interface specified\n" if !$iface;
+
+die "got strange interface name '$iface'\n" 
+    if $iface !~ m/^tap(\d+)i(\d+)$/;
+
+my $vmid = $1;
+my $netid = "net$2";
+
+my $migratedfrom = $ENV{PVE_MIGRATED_FROM};
+
+my $conf = PVE::QemuServer::load_config($vmid, $migratedfrom);
+
+die "unable to get network config '$netid'\n"
+    if !$conf->{$netid};
+
+my $net = PVE::QemuServer::parse_net($conf->{$netid});
+die "unable to parse network config '$netid'\n" if !$net;
+
+PVE::Network::tap_create($iface, $net->{bridge});
+
+PVE::Network::tap_rate_limit($iface, $net->{rate}) if $net->{rate};
+
+PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, 1);
+
+exit 0;
-- 
1.7.10.4


