From nobody Sat Feb 7 04:15:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1726088602; cv=none; d=zohomail.com; s=zohoarc; b=R7ETWP1lF6XK+LUkrqO5si7vVIsFoFztdJhgGoDyjl71YXMjPcS6iF2ZAVPC4NEbcvIJccb96SGRmfWJvUFEA9jbF+HPBnbeD/xB29pjnpj/48NJ66gToC5OZBZqe9RrtKie25DNnj7jMKeqOxgYNBwupHQrJ08bLshxi+fUiVA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1726088602; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=Ri3ICdT2GPRJdNEv+S+WQU51BxLNyHfFISE28qX1bCM=; b=FMJCLIV2S081FlurTnUNu7fkQIfvDgahm1DCd57H7/7H2gH2rPkX6Wv8gOyz8YnkKU+51hJ7a5jztriJR1axLdt4qWduCqcbYY5BXLq6n8ahWy9WqXcIyQM/ctOb71fQ42SXzrsu1IZJmlLRtHYtqn+FL44H0KacvzeGa829/RM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1726088602938821.958955414339; Wed, 11 Sep 2024 14:03:22 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B1C9514EA; Wed, 11 Sep 2024 17:03:21 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 287BE157E; Wed, 11 Sep 2024 17:02:52 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D0A951446; Wed, 11 Sep 2024 17:02:47 -0400 (EDT) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 2EDB61444 for ; Wed, 11 Sep 2024 17:02:47 -0400 (EDT) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-374bd059b12so205179f8f.1 for ; Wed, 11 Sep 2024 14:02:47 -0700 (PDT) Received: from localhost ([192.150.154.54]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-3a05900e764sm27802975ab.60.2024.09.11.14.02.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Sep 2024 14:02:45 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1726088566; x=1726693366; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VP6bvULvTaMCOqktvK+HcykWQywFEx4LLxHYfdmVObo=; b=aWfAnLUB7X5ro292CpDbL/azwrkXark7XnKEv6gvq13ecC8uS9gAJPsGNlsggqSz0b +QBdZTllAqzM9XLCiUYQtkg1KpbESKpubMc+O+G02kLRa5MZ1/0rLGpDm+i/7LdUr0R9 eBwX0b5PfevcQ/5lVOTDfMWtcUNlxbdhZUxwHsefBRdeSomURIG51tT+oTA4S9Zbe9c7 iOK/qIhVdMpwkGL6hNBQbRyzevvYsAyAeum6tuFW+O9WYnSRPrZI7vUohHtwiH/NWtKA fSiFUtibQqU7zbw4J0KWFwuGI055aJKCA5Bitg9OGry6IfI4f4PIKRFud+VTj/niWYPq f/MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726088566; x=1726693366; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VP6bvULvTaMCOqktvK+HcykWQywFEx4LLxHYfdmVObo=; b=pkXXNi7y4f3qgywPeR35h1/xZkNjhLHtUwBRJFS7Xwd3UmJlyudQGFteXR2+P+0/nI KzAAQgqhNU6sKBDYRbV/Zo4cR4/2Sz1Eae7JzVSiHoRK9X0cQICEbDB0M4CDTcCjeQqR TLwr81itbqXoClOw7SsCO+fyaAE5sFeUO8LLyF2vrF22LtCZ5fQTao/j+uBExK3J7cOk QUiUvrfJqM1w8CYOk46MN9fYr11pUYMhfIzlV3Mas6bmzA9rKobOdoPS5wU5rf7chUcf VwL0sesic/jYxIPAyBCawZ3U/Snl7hEDQXB3+42TwJJcgAW/QKNpjpBzMjqnYfoqVMeI VJcQ== X-Gm-Message-State: AOJu0YxO5xUFysgbrMG64SUnPRvmAfGM4DG2a2ZkNb+h0xms/cIwn6Ju /539iBzkyaJ+Xsyu3ZpV33RsQAL7upc3/a8sZ5w7wmqpF+5lmE9YMFmNyDhXg0P8jb5IhcQ0pZe s1gU= X-Google-Smtp-Source: AGHT+IGvAGETF7i3nzIVxTLARUMQJ3jvKacUbF0BHPN8Seg5x8KXhYnW/8Rgz15mYVGgAzsaabQzkw== X-Received: by 2002:a5d:6b92:0:b0:368:74e0:2068 with SMTP id ffacd0b85a97d-378c2d02854mr239042f8f.33.1726088565954; Wed, 11 Sep 2024 14:02:45 -0700 (PDT) To: devel@lists.libvirt.org Subject: [PATCH 1/2] docs: Clarify hypervisor support for nwfilter profiles Date: Wed, 11 Sep 2024 15:02:41 -0600 Message-Id: <20240911210242.5231-2-jfehlig@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240911210242.5231-1-jfehlig@suse.com> References: <20240911210242.5231-1-jfehlig@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: M6XRYDUWHD2U3EZGV2KAW54465KZQF4L X-Message-ID-Hash: M6XRYDUWHD2U3EZGV2KAW54465KZQF4L X-MailFrom: jfehlig@suse.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: demi@invisiblethingslab.com X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Jim Fehlig via Devel Reply-To: Jim Fehlig X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1726088604140116600 Content-Type: text/plain; charset="utf-8" Enhance the 'since' annotation of documentation to note it's only supported by the QEMU, LXC, and ch hypervisor drivers. Signed-off-by: Jim Fehlig Acked-by: Demi Marie Obenour Reviewed-by: Laine Stump Suggested-by: Demi Marie Obenour --- docs/formatdomain.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 47d3e2125e..8e8a9660fc 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -6205,10 +6205,10 @@ hypervisor tries to reconnect. Traffic filtering with NWFilter ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =20 -:since:`Since 0.8.0` an ``nwfilter`` profile can be assigned to a domain -interface, which allows configuring traffic filter rules for the virtual -machine. See the `nwfilter `__ documentation for more -complete details. +:since:`Since 0.8.0 (QEMU), 0.9.3 (LXC), 10.1.0 (Cloud Hypervisor)` an ``n= wfilter`` +profile can be assigned to a domain interface, which allows configuring tr= affic +filter rules for the virtual machine. See the `nwfilter `__ +documentation for more complete details. =20 :: =20 --=20 2.35.3 From nobody Sat Feb 7 04:15:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1726088619; cv=none; d=zohomail.com; s=zohoarc; b=j3yHzHjXjCFSwyaSpGz+FLURknv5Lg7aT4eyn1ruPpC59gjC9b185JVC6H2mw1joAQzThSTI+hA/xCEYfTv+odDvSYh3e+n39EjYcBJ41lOKhs4I+IAZNLbmCP+aFe9AdZHCpAigabe1K3/76RJS+VzlbL6JIFiDiop1c34qwQM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1726088619; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=/DkbZ9yvlBAZgAq3RAOb9M7NNwLLX5bNpz5HSDkD7Qo=; b=jhChpPEgZD+0hipVemBfNvq4OnWJVhdLeHsvocs9EPOSP/5d1pbDnWDZwS+5qWVi1ACWi40FTbjHuWhTbBhaAKrztiLKqkrsAEsLplqUPd9tGyGh+bdvg/H5Bj9XhOJb2jvnx2D6cVFt9rcCyIB6GfRT/IOmbVvUDE0NWxLmFh8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1726088619669129.8084165614622; Wed, 11 Sep 2024 14:03:39 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6DF761461; Wed, 11 Sep 2024 17:03:38 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 83E1B160B; Wed, 11 Sep 2024 17:03:03 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 0A2821520; Wed, 11 Sep 2024 17:02:58 -0400 (EDT) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 1088E1579 for ; Wed, 11 Sep 2024 17:02:50 -0400 (EDT) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-42cbc22e1c4so1567245e9.2 for ; Wed, 11 Sep 2024 14:02:49 -0700 (PDT) Received: from localhost ([192.150.154.54]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-82aa77b29d8sm286616039f.48.2024.09.11.14.02.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Sep 2024 14:02:48 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1726088569; x=1726693369; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=n++6KOZ/AnSkWverAA2P3FCYHRky37VANzes8ktXZCQ=; b=QEJmRZhZrwrDZTGTLwhH9VJMIRIx1u46i3rIFCf8NBT4xhLVzyc0c4r8LqsRzQSojt rrr7XY9vPnZKfdfICDlPCtZUMcv+zBQwPcrLirlOh0wUWZi3ugDJB0K9JjkUJGvHTdAu DBEKpIdHtMS99E0+Ik2wSOT2K+ZnyWu993gkxHbv8g0LKKwmkZuD+L/QFb1fgvUUjX1u SJI8XbdT5JWftb8KJ+rCZa4oXqbcQXNVAP3mm6/PQI1jOBHFqpPkE4Gj9c3OwgRqYgMm 8GzDCmMyx4Ed6SQiSz16AARu2VYFd3e+BoMa4MT9nDej6t2fVbOp1ESqfR1Y2vTx9VBw 4n7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726088569; x=1726693369; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n++6KOZ/AnSkWverAA2P3FCYHRky37VANzes8ktXZCQ=; b=bt4yRLBwr6htqGCWVlW0hGpTIo+W37DFnh0GLTp/eCnORVPGdD+6F1sq0PEFgtWZf6 P104GQp+vKvvSdsRzesPjp9mTOqkQ7OcoM4Ou/G+jb+r9iInxPzLooW1gpFtOOXUWzna acbJXWzYbNnyHbSzxsAQndcgrmtkEI3xuJOjS5ahr5miVOMnNHKHYgj1h9lYEZl52QkQ kTA3rC9m0wB9qYl/1s7IEl73A77pA7vRt6l0q4oFDSEUFRjk5xDFH6udkSuL0EHSjJa+ i9BzgTXfF25RqvoEEPjNQ1GHBtdY5GLFm4aw01rcKZ/iPb/S3VL1F3Chf4pWFqPF6v+E 5Ypw== X-Gm-Message-State: AOJu0YwFB+7BXoblOlyWkDNVz1gOzc+a+dGGhel8CAJ+72A2e+3PyorN FrH4NODRj/lj1JPcj62n/2Hikab1tPGFyhLkLcTxrLfks0YfO9OWIazMkgtTF6DAuJ8K3sybCTJ OaXo= X-Google-Smtp-Source: AGHT+IF1WiCqW4T9PaXGRHsCHLAzeJjC8CfSQTu7YEi7Qy6rNYmp1oPWWrmxZi799m1dSpeCBAnNqA== X-Received: by 2002:a5d:69d0:0:b0:374:bb34:9fd2 with SMTP id ffacd0b85a97d-378c2d4c9a8mr264283f8f.36.1726088568746; Wed, 11 Sep 2024 14:02:48 -0700 (PDT) To: devel@lists.libvirt.org Subject: [PATCH 2/2] libxl: Reject VM config referencing nwfilters Date: Wed, 11 Sep 2024 15:02:42 -0600 Message-Id: <20240911210242.5231-3-jfehlig@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240911210242.5231-1-jfehlig@suse.com> References: <20240911210242.5231-1-jfehlig@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: B3CZBO7ZU6EO73I4B4VXKVD6V3NGMAF4 X-Message-ID-Hash: B3CZBO7ZU6EO73I4B4VXKVD6V3NGMAF4 X-MailFrom: jfehlig@suse.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: demi@invisiblethingslab.com X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Jim Fehlig via Devel Reply-To: Jim Fehlig X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1726088620129116600 Content-Type: text/plain; charset="utf-8" The Xen libxl driver does not support nwfilter. Add a check for nwfilters to the devicesPostParseCallback, returning VIR_ERR_CONFIG_UNSUPPORTED if any are found. It's generally preferred for drivers to ignore unsupported XML features, but ignoring a user's request to filter VM network traffic can be viewed as a security issue. Signed-off-by: Jim Fehlig --- src/libxl/libxl_domain.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c index 0f129ec69c..2f6cebb8ae 100644 --- a/src/libxl/libxl_domain.c +++ b/src/libxl/libxl_domain.c @@ -131,6 +131,13 @@ libxlDomainDeviceDefPostParse(virDomainDeviceDef *dev, void *opaque G_GNUC_UNUSED, void *parseOpaque G_GNUC_UNUSED) { + if (dev->type =3D=3D VIR_DOMAIN_DEVICE_NET && dev->data.net->filter) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported in %1$s"), + virDomainVirtTypeToString(def->virtType)); + return -1; + } + if (dev->type =3D=3D VIR_DOMAIN_DEVICE_CHR && dev->data.chr->deviceType =3D=3D VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOL= E && dev->data.chr->targetType =3D=3D VIR_DOMAIN_CHR_CONSOLE_TARGET_TYP= E_NONE && --=20 2.35.3