From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299764; cv=none;
	d=zohomail.com; s=zohoarc;
	b=E1KQWyD/Bf+T4XAjP1EXkwCCAUoxnmiB6OduhPGOMpaO15JJ5Np430paihEdUQ96tDz/DTWEPbV/aNinHLUvLYjbhHghmZwbaXEF1J1QCwKleFX5xpnCZyE0A+Z3PL4/bR6OI/+2aRd7eeJ72zsPmZK0sJd5ho/ySBNX2HIHdio=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299764;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=JZaFMGlDzOF4JQOTYPrBkznSs7aelIBgPXoOpxZ186U=;
	b=fDeM8PkdebJbMNU4v75Me1VBFGYRkB3+gHmGJgC/8a0Sram7PO8bKh9oLb6SL/+RsdPgwan2vA/1j65xUu+hHfoZ/1iOZGwcQnR2B1DBOWn2PZbCxMZbxhBdw+BLRzeHquAm9yrIv1TltRQ6VURxmYId2HVmYpqsY9vCRa6c/k0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299764025880.2280194241162;
 Thu, 12 Mar 2026 00:16:04 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aFl-0004WU-2D; Thu, 12 Mar 2026 03:14:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aFj-0004WK-PC
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:14:39 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aFi-0008F8-4C
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:14:39 -0400
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-281-Fguhd8W3Poeg38Qs_jKU_g-1; Thu,
 12 Mar 2026 03:14:34 -0400
Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 3861518002C9; Thu, 12 Mar 2026 07:14:33 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id C116C1800361; Thu, 12 Mar 2026 07:14:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299677;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=JZaFMGlDzOF4JQOTYPrBkznSs7aelIBgPXoOpxZ186U=;
 b=R54ERMrl+ksaVbYtC0ZUy7bpAal3gdmAV1NZ84cLH9j34O/ud2E/AtujVR0qxsEcky8YjG
 ADxaSoir0xeB6CAHMKqCANyHZ4OZ2AMzKSI2nU4rxZ6MBFIRD5OIjXjX4C8d4cjf89MIB4
 EpaUzJoPex/K+ZBpb4nR/lbN9jtIqJ0=
X-MC-Unique: Fguhd8W3Poeg38Qs_jKU_g-1
X-Mimecast-MFC-AGG-ID: Fguhd8W3Poeg38Qs_jKU_g_1773299673
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 1/9] net/filter: allow redirector on vhost TAP backends
Date: Thu, 12 Mar 2026 15:09:29 +0800
Message-ID: <20260312071415.1836655-2-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299765273154100
Content-Type: text/plain; charset="utf-8"

netfilter_complete() currently rejects every filter attached to a
vhost-backed netdev. That prevents filter-redirector from being used on
the TAP backends that handle switchover capture and replay.

Permit filter-redirector on vhost-backed TAP netdevs, but keep the gate
narrow: other filters are still rejected and non-TAP backends remain
unsupported. Later commits can widen the filter set without duplicating
the backend restriction.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 net/filter.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/net/filter.c b/net/filter.c
index 76345c1a9d..b9646b9e00 100644
--- a/net/filter.c
+++ b/net/filter.c
@@ -255,8 +255,19 @@ static void netfilter_complete(UserCreatable *uc, Erro=
r **errp)
     }
=20
     if (get_vhost_net(ncs[0])) {
-        error_setg(errp, "Vhost is not supported");
-        return;
+        bool redirector =3D object_dynamic_cast(OBJECT(uc),
+                                              "filter-redirector");
+        bool buffer =3D object_dynamic_cast(OBJECT(uc), "filter-buffer");
+        bool vhost_filter =3D redirector || buffer;
+
+        if (!redirector) {
+            error_setg(errp, "Vhost is not supported");
+            return;
+        }
+        if (vhost_filter && ncs[0]->info->type !=3D NET_CLIENT_DRIVER_TAP)=
 {
+            error_setg(errp, "Vhost filter support requires a TAP backend"=
);
+            return;
+        }
     }
=20
     if (strcmp(nf->position, "head") && strcmp(nf->position, "tail")) {
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299772; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BaLMTJEZzXXQUmHtpWyyEUq1/Mhs1mvNB8+gN7Y1ZZCTLlEun9rWOuTbGvAhE8JpbabhAMpzYOdfXalIWRsM3z91w2EUfCT4kgOFzkDYnvBW3TXtCD+GfoGLpGznGDuYSUwpI73o/beesV/8TyHSHx6GKPF3IdQ+YJTuT94nwiA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299772;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=ZCykG0adtQpHg4+q0MaYgweYslGKZ/kfSJSMGgAR2x4=;
	b=YO8jnWzBCMJx3Dv9uLDBugC1MGuuLocgTD7PpJT0Ns/c8XXxEOkApYAGS/Zgz/APAlzL7nWHTHTYK4W5uIr0JAm49FLwR/pB+CVdPX+DavF4v6Pevq02bbeIh227XpvyA1OFjb1WJla6b3DZHRriav2FTZ2QXb+oWJIcUBqrMiI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299772346895.9785459430283;
 Thu, 12 Mar 2026 00:16:12 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aFu-0004Xa-Io; Thu, 12 Mar 2026 03:14:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aFs-0004X7-Cs
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:14:49 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aFq-0008G0-93
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:14:47 -0400
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-260-cqp-gFC6M82O75-sZUb5Kw-1; Thu,
 12 Mar 2026 03:14:38 -0400
Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 9D94D18005B0; Thu, 12 Mar 2026 07:14:37 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id EE1C4180058C; Thu, 12 Mar 2026 07:14:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299682;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=ZCykG0adtQpHg4+q0MaYgweYslGKZ/kfSJSMGgAR2x4=;
 b=USHd3xJ+48x9jdjAC8v9hi2WwBWclc/U4iia9YqC1CYDewj6Uev+pNa2e+kJo9eUsSBnHn
 HghrCZI8LiWB2zEbgc8ou2U0dl+zkyISXxsm6YLrcO7oBU/pFBb/OP4M1lpVEyCj9pXAGE
 M2OtMLVeU9Jjv5L6v2XnH0GvZgL/e2w=
X-MC-Unique: cqp-gFC6M82O75-sZUb5Kw-1
X-Mimecast-MFC-AGG-ID: cqp-gFC6M82O75-sZUb5Kw_1773299677
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 2/9] net/filter-redirector: add role helpers for AF_PACKET
 paths
Date: Thu, 12 Mar 2026 15:09:30 +0800
Message-ID: <20260312071415.1836655-3-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299773305158500
Content-Type: text/plain; charset="utf-8"

Add helpers that tell whether a redirector instance should create an
AF_PACKET capture socket or inject socket. Later commits use them when
wiring up the TAP datapath.

While here, let the indev-only inject role enable
allow_send_when_stopped, and guard
filter_redirector_vm_state_change() against a missing nc.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 net/filter-mirror.c | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index ab711e8835..376b7da025 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -22,6 +22,7 @@
 #include "qemu/error-report.h"
 #include "trace.h"
 #include "chardev/char-fe.h"
+#include "net/vhost_net.h"
 #include "qemu/iov.h"
 #include "qemu/sockets.h"
 #include "block/aio-wait.h"
@@ -62,6 +63,24 @@ typedef struct FilterSendCo {
     int ret;
 } FilterSendCo;
=20
+static bool filter_redirector_use_inject_netdev(NetFilterState *nf)
+{
+    MirrorState *s =3D FILTER_REDIRECTOR(nf);
+
+    return s->indev && !s->outdev &&
+           nf->netdev &&
+           get_vhost_net(nf->netdev);
+}
+
+static bool filter_redirector_use_capture_netdev(NetFilterState *nf)
+{
+    MirrorState *s =3D FILTER_REDIRECTOR(nf);
+
+    return s->outdev && !s->indev &&
+           nf->netdev &&
+           get_vhost_net(nf->netdev);
+}
+
 static int _filter_send(MirrorState *s,
                        char *buf,
                        ssize_t size)
@@ -318,13 +337,13 @@ filter_redirector_refresh_allow_send_when_stopped(Net=
FilterState *nf)
=20
     /*
      * Allow sending when stopped if enable_when_stopped is set and we have
-     * an outdev. This must be independent of nf->on (status) so that pack=
ets
-     * can still flow through the filter chain to other filters even when =
this
-     * redirector is disabled. Otherwise, tap_send() will disable read_poll
-     * when qemu_can_send_packet() returns false, preventing further packet
-     * processing.
+     * a redirector output endpoint and the redirector is enabled.
+     * Keeping this active while redirector status=3Doff can unexpectedly
+     * drain packets in migration stop windows and perturb vhost ring stat=
e.
      */
-    nc->allow_send_when_stopped =3D (s->enable_when_stopped && s->outdev);
+    nc->allow_send_when_stopped =3D (s->enable_when_stopped &&
+                                   (s->outdev ||
+                                    filter_redirector_use_inject_netdev(nf=
)));
 }
=20
 static void filter_redirector_vm_state_change(void *opaque, bool running,
@@ -334,7 +353,7 @@ static void filter_redirector_vm_state_change(void *opa=
que, bool running,
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
     NetClientState *nc =3D nf->netdev;
=20
-    if (!running && s->enable_when_stopped && nc->info->read_poll) {
+    if (!running && nc && s->enable_when_stopped && nc->info->read_poll) {
         nc->info->read_poll(nc, true);
     }
 }
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299721; cv=none;
	d=zohomail.com; s=zohoarc;
	b=H+qfQck4MHSBchwblpE+zS2zhdQ/+pt7to6svV474nWc/LW1pqLpUIrOgps3+Ww+bIcQqoClQmY2UaV2Zmwh36g2fCVc7UWQIxZnP14F3ksCAGTXYtN3mO/sY1nNrKqP3lHBjl1W8heprGpoTkhbdZaEJjZmpC4kecWw9VglUAY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299721;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=fm6Ge9uLm0frQzsn6yDgIGw/bNW8EgJgnqMeUpMdIlY=;
	b=OCh0WgoxK8xsdexsoLcWqWaM0NNTx8hCWm1L5E4iqQTresTxlcA0F2rphoxkxTj/yOk9ulfu9wjQ86us9AqkmevjpmU0vCh9UgoO7/KWtWG5c2eS4FsUkfBes7VctSg/XjELuKHRLVchNQFfkeMgvB2O8OXaSlZtp7Ua6kxEp58=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299721962655.1307144873838;
 Thu, 12 Mar 2026 00:15:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aFx-0004YF-Tu; Thu, 12 Mar 2026 03:14:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aFu-0004XP-3w
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:14:50 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aFs-0008Ga-5Y
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:14:49 -0400
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-422-l_Ym-zu9P16dxHGiKIcC8A-1; Thu,
 12 Mar 2026 03:14:43 -0400
Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id E37DD195608A; Thu, 12 Mar 2026 07:14:41 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 5E4A71800361; Thu, 12 Mar 2026 07:14:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299686;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=fm6Ge9uLm0frQzsn6yDgIGw/bNW8EgJgnqMeUpMdIlY=;
 b=F7uh4x+lP1BdlN9XHNrFDvW8ijBd7lS2x3HSax9+Z4JTLctBeJjxxM2XsTTFXDfhJSmEFt
 4NdkdlFS2D71q6Y8RPJ/yl7PXxOqIe9bFkU7M//dg244F/Gl7rHxGP5PxTZCFOHb+yL/O9
 4LIKgdxRiJd6YdzrGffiUC7o5BkOa10=
X-MC-Unique: l_Ym-zu9P16dxHGiKIcC8A-1
X-Mimecast-MFC-AGG-ID: l_Ym-zu9P16dxHGiKIcC8A_1773299682
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 3/9] net/filter-redirector: add AF_PACKET socket setup and
 input handler
Date: Thu, 12 Mar 2026 15:09:31 +0800
Message-ID: <20260312071415.1836655-4-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299723248158500
Content-Type: text/plain; charset="utf-8"

Add the AF_PACKET plumbing that lets filter-redirector bypass vhost and
talk to the TAP device directly.

Resolve the TAP ifname from the backend fd, create a nonblocking raw
socket, bind it to the interface, and store it as either the capture or
inject endpoint depending on the redirector role.

Also add the capture-side fd handler, which drains PACKET_OUTGOING
frames and forwards them into the filter chain.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 net/filter-mirror.c | 179 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 170 insertions(+), 9 deletions(-)

diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index 376b7da025..915f2f8b35 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -27,6 +27,13 @@
 #include "qemu/sockets.h"
 #include "block/aio-wait.h"
 #include "system/runstate.h"
+#include "net/tap.h"
+#include "net/tap_int.h"
+
+#include <sys/socket.h>
+#include <net/if.h>
+#include <linux/if_packet.h>
+#include <netinet/if_ether.h>
=20
 typedef struct MirrorState MirrorState;
 DECLARE_INSTANCE_CHECKER(MirrorState, FILTER_MIRROR,
@@ -41,6 +48,10 @@ struct MirrorState {
     NetFilterState parent_obj;
     char *indev;
     char *outdev;
+    NetClientState *out_net;
+    int in_netfd;
+    uint8_t *in_netbuf;
+    int out_netfd;
     CharFrontend chr_in;
     CharFrontend chr_out;
     SocketReadState rs;
@@ -189,6 +200,17 @@ static int redirector_chr_can_read(void *opaque)
     return REDIRECTOR_MAX_LEN;
 }
=20
+static bool filter_redirector_input_active(NetFilterState *nf, bool enable)
+{
+    MirrorState *s =3D FILTER_REDIRECTOR(nf);
+
+    if (!enable) {
+        return false;
+    }
+
+    return runstate_is_running() || s->enable_when_stopped;
+}
+
 static void redirector_chr_read(void *opaque, const uint8_t *buf, int size)
 {
     NetFilterState *nf =3D opaque;
@@ -225,6 +247,40 @@ static void redirector_chr_event(void *opaque, QEMUChr=
Event event)
     }
 }
=20
+static void filter_redirector_netdev_read(void *opaque)
+{
+    NetFilterState *nf =3D opaque;
+    MirrorState *s =3D FILTER_REDIRECTOR(nf);
+    struct sockaddr_ll sll;
+    socklen_t sll_len;
+    ssize_t len;
+
+    if (!s->in_netbuf || s->in_netfd < 0) {
+        return;
+    }
+
+    for (;;) {
+        sll_len =3D sizeof(sll);
+        len =3D recvfrom(s->in_netfd, s->in_netbuf, REDIRECTOR_MAX_LEN, 0,
+                       (struct sockaddr *)&sll, &sll_len);
+        if (len <=3D 0) {
+            break;
+        }
+
+        if (sll.sll_pkttype !=3D PACKET_OUTGOING) {
+            continue;
+        }
+
+        redirector_to_filter(nf, s->in_netbuf, len);
+    }
+
+    if (len < 0 && errno !=3D EAGAIN && errno !=3D EWOULDBLOCK &&
+        errno !=3D EINTR) {
+        error_report("filter redirector read netdev failed(%s)",
+                     strerror(errno));
+    }
+}
+
 static ssize_t filter_mirror_receive_iov(NetFilterState *nf,
                                          NetClientState *sender,
                                          unsigned flags,
@@ -285,7 +341,19 @@ static void filter_redirector_cleanup(NetFilterState *=
nf)
=20
     qemu_chr_fe_deinit(&s->chr_in, false);
     qemu_chr_fe_deinit(&s->chr_out, false);
-    qemu_del_vm_change_state_handler(s->vmsentry);
+    if (s->vmsentry) {
+        qemu_del_vm_change_state_handler(s->vmsentry);
+        s->vmsentry =3D NULL;
+    }
+    if (s->in_netfd >=3D 0) {
+        qemu_set_fd_handler(s->in_netfd, NULL, NULL, NULL);
+        close(s->in_netfd);
+        s->in_netfd =3D -1;
+    }
+    if (s->out_netfd >=3D 0) {
+        close(s->out_netfd);
+        s->out_netfd =3D -1;
+    }
=20
     if (nf->netdev) {
         nf->netdev->allow_send_when_stopped =3D 0;
@@ -352,6 +420,14 @@ static void filter_redirector_vm_state_change(void *op=
aque, bool running,
     NetFilterState *nf =3D opaque;
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
     NetClientState *nc =3D nf->netdev;
+    bool active =3D filter_redirector_input_active(nf, nf->on);
+
+    if (s->in_netfd >=3D 0) {
+        qemu_set_fd_handler(s->in_netfd,
+                            active ? filter_redirector_netdev_read : NULL,
+                            NULL,
+                            active ? nf : NULL);
+    }
=20
     if (!running && nc && s->enable_when_stopped && nc->info->read_poll) {
         nc->info->read_poll(nc, true);
@@ -379,21 +455,83 @@ static void filter_redirector_maybe_enable_read_poll(=
NetFilterState *nf)
     }
 }
=20
+static bool filter_redirector_netdev_setup(NetFilterState *nf, Error **err=
p)
+{
+    MirrorState *s =3D FILTER_REDIRECTOR(nf);
+    struct sockaddr_ll sll =3D { 0 };
+    char ifname[IFNAMSIZ] =3D { 0 };
+    int ifindex;
+    int fd;
+    NetClientState *nc =3D nf->netdev;
+    int tapfd;
+    bool capture =3D filter_redirector_use_capture_netdev(nf);
+    bool inject =3D filter_redirector_use_inject_netdev(nf);
+
+    if (!capture && !inject) {
+        return true;
+    }
+
+    if (!nc || nc->info->type !=3D NET_CLIENT_DRIVER_TAP) {
+        return true;
+    }
+
+    tapfd =3D tap_get_fd(nc);
+    if (tapfd < 0 || tap_fd_get_ifname(tapfd, ifname) !=3D 0) {
+        error_setg(errp, "failed to resolve TAP ifname for netdev '%s'",
+                   nf->netdev_id);
+        return false;
+    }
+
+    ifindex =3D if_nametoindex(ifname);
+    if (!ifindex) {
+        error_setg_errno(errp, errno,
+                         "failed to resolve ifindex for '%s'", ifname);
+        return false;
+    }
+
+    fd =3D qemu_socket(AF_PACKET, SOCK_RAW | SOCK_NONBLOCK, htons(ETH_P_AL=
L));
+    if (fd < 0) {
+        error_setg_errno(errp, errno, "failed to create AF_PACKET socket");
+        return false;
+    }
+
+    sll.sll_family =3D AF_PACKET;
+    sll.sll_ifindex =3D ifindex;
+    sll.sll_protocol =3D htons(ETH_P_ALL);
+    if (bind(fd, (struct sockaddr *)&sll, sizeof(sll)) < 0) {
+        error_setg_errno(errp, errno,
+                         "failed to bind AF_PACKET socket for ifname '%s'",
+                         ifname);
+        close(fd);
+        return false;
+    }
+
+    if (capture) {
+        s->in_netfd =3D fd;
+        g_free(s->in_netbuf);
+        s->in_netbuf =3D g_malloc(REDIRECTOR_MAX_LEN);
+    } else if (inject) {
+        s->out_netfd =3D fd;
+        s->out_net =3D nc;
+    }
+    return true;
+}
+
 static void filter_redirector_setup(NetFilterState *nf, Error **errp)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
     Chardev *chr;
=20
     if (!s->indev && !s->outdev) {
-        error_setg(errp, "filter redirector needs 'indev' or "
-                   "'outdev' at least one property set");
+        error_setg(errp, "filter redirector needs at least one of "
+                   "'indev' or 'outdev'");
+        return;
+    }
+
+    if (s->indev && s->outdev && !strcmp(s->indev, s->outdev)) {
+        error_setg(errp, "'indev' and 'outdev' could not be same "
+                   "for filter redirector");
         return;
-    } else if (s->indev && s->outdev) {
-        if (!strcmp(s->indev, s->outdev)) {
-            error_setg(errp, "'indev' and 'outdev' could not be same "
-                       "for filter redirector");
-            return;
-        }
     }
=20
     net_socket_rs_init(&s->rs, redirector_rs_finalize, s->vnet_hdr);
@@ -429,9 +567,21 @@ static void filter_redirector_setup(NetFilterState *nf=
, Error **errp)
         }
     }
=20
+    if (!filter_redirector_netdev_setup(nf, errp)) {
+        return;
+    }
+
     s->vmsentry =3D qemu_add_vm_change_state_handler(
         filter_redirector_vm_state_change, nf);
=20
+    if (s->in_netfd >=3D 0) {
+        bool active =3D filter_redirector_input_active(nf, nf->on);
+
+        qemu_set_fd_handler(s->in_netfd,
+                            active ? filter_redirector_netdev_read : NULL,
+                            NULL,
+                            active ? nf : NULL);
+    }
     filter_redirector_maybe_enable_read_poll(nf);
=20
     filter_redirector_refresh_allow_send_when_stopped(nf);
@@ -440,6 +590,7 @@ static void filter_redirector_setup(NetFilterState *nf,=
 Error **errp)
 static void filter_redirector_status_changed(NetFilterState *nf, Error **e=
rrp)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
+    bool active =3D filter_redirector_input_active(nf, nf->on);
=20
     if (s->indev) {
         if (nf->on) {
@@ -452,6 +603,13 @@ static void filter_redirector_status_changed(NetFilter=
State *nf, Error **errp)
         }
     }
=20
+    if (s->in_netfd >=3D 0) {
+        qemu_set_fd_handler(s->in_netfd,
+                            active ? filter_redirector_netdev_read : NULL,
+                            NULL,
+                            active ? nf : NULL);
+    }
+
     if (nf->on) {
         filter_redirector_maybe_enable_read_poll(nf);
     }
@@ -642,6 +800,8 @@ static void filter_redirector_init(Object *obj)
     MirrorState *s =3D FILTER_REDIRECTOR(obj);
=20
     s->vnet_hdr =3D false;
+    s->in_netfd =3D -1;
+    s->out_netfd =3D -1;
 }
=20
 static void filter_mirror_fini(Object *obj)
@@ -657,6 +817,7 @@ static void filter_redirector_fini(Object *obj)
=20
     g_free(s->indev);
     g_free(s->outdev);
+    g_free(s->in_netbuf);
 }
=20
 static const TypeInfo filter_redirector_info =3D {
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299741; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XutK6UBxyyEbharugdSjbXJoJQkymcRURLvr2PnzAvzQP6toi1oExftzH2vLRpMxifM0qmReFerD+8IEocqZKZTr591MVnuXQiufa5Q0+dfOn4dElst5+l0viBC9HUJeBlRYJuLz3WIl6UdRQ2nnG7GTH6TkTNj1PcI+0MdQzWI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299741;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=rRjhQm8jH2uwusTbR6Ayv6BqAo5wOh620xzE17J8kNQ=;
	b=FtNdOXOLgXO35nB0W4awNwYLF0dfZI0YkuAUQNoqHeeG+YeF7IY9H3F/e4ntYrQS7sTWiw5snMw5Xj1kAoHG0Y38hFDiFRjg0XA9ZKxvmxY/BoScPw/2tn7eFr7P6NDleFujzBEi5l6EWm04GBgMCFHio4enUN9RNZ1WBBQqhAM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299741908559.9057415812043;
 Thu, 12 Mar 2026 00:15:41 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aGP-0004ho-7M; Thu, 12 Mar 2026 03:15:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGN-0004gH-EH
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:19 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGH-00005c-Ts
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:19 -0400
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-43-k_kV1QUmNRSvdeGCqZb69Q-1; Thu,
 12 Mar 2026 03:15:09 -0400
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 1BCA41977405; Thu, 12 Mar 2026 07:15:08 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 74B6719540C2; Thu, 12 Mar 2026 07:15:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299712;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=rRjhQm8jH2uwusTbR6Ayv6BqAo5wOh620xzE17J8kNQ=;
 b=UD4koe2NFyAQoxsYLPdxKj7C06aAj3G1dRipELfYQpAdz+tJG743HxJgLj9abthfJRzVXp
 hyE6y0GyNvxQj7HIHvZXHM9GyXGplT4F6accJezYFgRlHIQCZMEnb7zzPmGc26HBnE/Xc8
 7sl2B4viv4XYU1gg6zwsfU3Ai/5DMYw=
X-MC-Unique: k_kV1QUmNRSvdeGCqZb69Q-1
X-Mimecast-MFC-AGG-ID: k_kV1QUmNRSvdeGCqZb69Q_1773299708
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 4/9] net/filter-redirector: add send helpers and netdev
 counters
Date: Thu, 12 Mar 2026 15:09:32 +0800
Message-ID: <20260312071415.1836655-5-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299742957154100
Content-Type: text/plain; charset="utf-8"

Add helper functions for sending packets through the AF_PACKET out
socket or the chardev backend, and add netdev RX/TX packet and byte
counters to MirrorState.

The follow-up receive-path changes use these helpers and expose the new
statistics via filter_redirector_get_stats().

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 net/filter-mirror.c | 70 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index 915f2f8b35..e57fbc94b8 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -64,6 +64,11 @@ struct MirrorState {
     uint64_t indev_bytes;
     uint64_t outdev_packets;
     uint64_t outdev_bytes;
+    /* netdev replay/capture statistics for filter-redirector */
+    uint64_t netdev_rx_packets;
+    uint64_t netdev_rx_bytes;
+    uint64_t netdev_tx_packets;
+    uint64_t netdev_tx_bytes;
 };
=20
 typedef struct FilterSendCo {
@@ -175,6 +180,59 @@ static int filter_send(MirrorState *s,
     return data.ret;
 }
=20
+static ssize_t filter_redirector_send_netdev_packet(MirrorState *s,
+                                                    const struct iovec *io=
v,
+                                                    int iovcnt)
+{
+    ssize_t size =3D iov_size(iov, iovcnt);
+    g_autofree uint8_t *buf =3D NULL;
+
+    if (s->out_netfd < 0) {
+        return -ENODEV;
+    }
+    if (size > NET_BUFSIZE) {
+        return -EINVAL;
+    }
+
+    buf =3D g_malloc(size);
+    iov_to_buf(iov, iovcnt, 0, buf, size);
+
+    ssize_t ret =3D send(s->out_netfd, buf, size, 0);
+    if (ret < 0) {
+        return -errno;
+    }
+    if (ret > 0) {
+        s->netdev_tx_packets++;
+        s->netdev_tx_bytes +=3D ret;
+    }
+    return ret;
+}
+static ssize_t filter_redirector_send_chardev_iov(MirrorState *s,
+                                                  const struct iovec *iov,
+                                                  int iovcnt)
+{
+    if (!s->outdev) {
+        return -ENODEV;
+    }
+
+    if (!qemu_chr_fe_backend_connected(&s->chr_out)) {
+        return 0;
+    }
+
+    return filter_send(s, iov, iovcnt);
+}
+
+static ssize_t filter_redirector_send_netdev_iov(MirrorState *s,
+                                                 const struct iovec *iov,
+                                                 int iovcnt)
+{
+    if (s->out_netfd < 0) {
+        return -ENODEV;
+    }
+
+    return filter_redirector_send_netdev_packet(s, iov, iovcnt);
+}
+
 static void redirector_to_filter(NetFilterState *nf,
                                  const uint8_t *buf,
                                  int len)
@@ -763,6 +821,18 @@ static GList *filter_redirector_get_stats(NetFilterSta=
te *nf)
     counter->bytes =3D s->outdev_bytes;
     list =3D g_list_append(list, counter);
=20
+    counter =3D g_new0(NetFilterCounter, 1);
+    counter->name =3D g_strdup("netdev_rx");
+    counter->packets =3D s->netdev_rx_packets;
+    counter->bytes =3D s->netdev_rx_bytes;
+    list =3D g_list_append(list, counter);
+
+    counter =3D g_new0(NetFilterCounter, 1);
+    counter->name =3D g_strdup("netdev_tx");
+    counter->packets =3D s->netdev_tx_packets;
+    counter->bytes =3D s->netdev_tx_bytes;
+    list =3D g_list_append(list, counter);
+
     return list;
 }
=20
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299774; cv=none;
	d=zohomail.com; s=zohoarc;
	b=P+B4hUmHJuc17EmkgCn5iGCZxQd+kLMQu93e5XoHy7i9RO03ogDYtT4O9WZGMQGPsh2RhwLQTWEQwKN3Ez71GvHOj3y+PrrzTCdAbMU4koGcNsAx33e/Ff7ZwDV/b51tqLxmaq8cf/YDZbxuMiNLEKi8MgXycbFtcmVCLm+TYbk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299774;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=yE5EXIHdVZ99o8ilpweRUBgvHp9JQoVeZq5rHLllXU8=;
	b=mviL0qTsQGcWJbGh/BHPaf1L3lbSN36TU1VY+p75km+WBybfEfzZPnsSNA2jM9DFEkC/WsAp4GhgLIu/mFqcVVbh7yIG96qGIyODorR9BVHAmDEAXBcy+AsitNrlerL3aDd8B4EQKqPHCbCn5q0V/BNg1ypPupdi8yl2U+nuJmw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299774400668.5045886681343;
 Thu, 12 Mar 2026 00:16:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aGQ-0004mV-6Y; Thu, 12 Mar 2026 03:15:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGO-0004go-Bk
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:20 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGM-00006W-Dh
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:20 -0400
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-191-0LdE4Yq_M2eHULldj3rA_Q-1; Thu,
 12 Mar 2026 03:15:13 -0400
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 4A666180047F; Thu, 12 Mar 2026 07:15:12 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id CFC4719540C2; Thu, 12 Mar 2026 07:15:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299717;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=yE5EXIHdVZ99o8ilpweRUBgvHp9JQoVeZq5rHLllXU8=;
 b=I0ap4H82xyz6GgZIp/xg91urdAPYVI2/MVGE7oj/h4y/0X3IbniD/ZG1glP3QJYr7xwtQa
 2j0GJTJrHbIdRomQ8+FJCwjzC+N9/yQ6iREVneiaijYSJ6OM4Z7eik9ULgMtahvyfUTBlv
 oUfkf13twK6IBHsdVLOGopHxu4i50Gw=
X-MC-Unique: 0LdE4Yq_M2eHULldj3rA_Q-1
X-Mimecast-MFC-AGG-ID: 0LdE4Yq_M2eHULldj3rA_Q_1773299712
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 5/9] net/filter-redirector: route chardev and AF_PACKET
 receive paths
Date: Thu, 12 Mar 2026 15:09:33 +0800
Message-ID: <20260312071415.1836655-6-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.129.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299777173158500
Content-Type: text/plain; charset="utf-8"

Packets captured from AF_PACKET now either go to the chardev outdev or
into the filter chain, and both paths update the new netdev statistics.
Use the same routing from redirector_rs_finalize() so replay traffic and
normal receive handling share one dispatch policy.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 net/filter-mirror.c | 107 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 101 insertions(+), 6 deletions(-)

diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index e57fbc94b8..1ff58e1d27 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -305,6 +305,81 @@ static void redirector_chr_event(void *opaque, QEMUChr=
Event event)
     }
 }
=20
+static void filter_redirector_recv_from_chardev(NetFilterState *nf,
+                                                        const uint8_t *buf,
+                                                        int len)
+{
+    MirrorState *s =3D FILTER_REDIRECTOR(nf);
+    bool inject_netdev =3D filter_redirector_use_inject_netdev(nf);
+    ssize_t ret;
+    struct iovec iov =3D {
+        .iov_base =3D (void *)buf,
+        .iov_len =3D len,
+    };
+
+    if (len <=3D 0) {
+        return;
+    }
+
+    /* chardev indev */
+    s->indev_packets++;
+    s->indev_bytes +=3D len;
+
+    if (inject_netdev) {
+        ret =3D filter_redirector_send_netdev_iov(s, &iov, 1);
+        if (ret < 0) {
+            error_report("filter redirector send failed(%s)", strerror(-re=
t));
+        }
+        return;
+    }
+
+    if (s->outdev) {
+        ret =3D filter_redirector_send_chardev_iov(s, &iov, 1);
+        if (ret < 0) {
+            error_report("filter redirector send failed(%s)", strerror(-re=
t));
+        } else if (ret > 0) {
+            s->outdev_packets++;
+            s->outdev_bytes +=3D ret;
+        }
+        return;
+    }
+
+    redirector_to_filter(nf, buf, len);
+}
+
+static bool filter_redirector_recv_from_netdev(NetFilterState *nf,
+                                                          const uint8_t *b=
uf,
+                                                          int len)
+{
+    MirrorState *s =3D FILTER_REDIRECTOR(nf);
+    ssize_t ret;
+    struct iovec iov =3D {
+        .iov_base =3D (void *)buf,
+        .iov_len =3D len,
+    };
+
+    if (len <=3D 0) {
+        return false;
+    }
+
+    if (s->outdev) {
+        ret =3D filter_redirector_send_chardev_iov(s, &iov, 1);
+        if (ret > 0) {
+            s->outdev_packets++;
+            s->outdev_bytes +=3D ret;
+        }
+    } else {
+        redirector_to_filter(nf, buf, len);
+        return true;
+    }
+
+    if (ret < 0) {
+        error_report("filter redirector send failed(%s)", strerror(-ret));
+        return false;
+    }
+    return true;
+}
+
 static void filter_redirector_netdev_read(void *opaque)
 {
     NetFilterState *nf =3D opaque;
@@ -329,7 +404,9 @@ static void filter_redirector_netdev_read(void *opaque)
             continue;
         }
=20
-        redirector_to_filter(nf, s->in_netbuf, len);
+        s->netdev_rx_packets++;
+        s->netdev_rx_bytes +=3D len;
+        filter_redirector_recv_from_netdev(nf, s->in_netbuf, len);
     }
=20
     if (len < 0 && errno !=3D EAGAIN && errno !=3D EWOULDBLOCK &&
@@ -369,21 +446,34 @@ static ssize_t filter_redirector_receive_iov(NetFilte=
rState *nf,
                                              NetPacketSent *sent_cb)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
+    bool capture_netdev =3D filter_redirector_use_capture_netdev(nf);
+    bool inject_netdev =3D filter_redirector_use_inject_netdev(nf);
     int ret;
=20
-    if (qemu_chr_fe_backend_connected(&s->chr_out)) {
-        ret =3D filter_send(s, iov, iovcnt);
+    if (s->indev || inject_netdev) {
+        return 0;
+    }
+
+    if (capture_netdev || s->outdev) {
+        if (capture_netdev) {
+            return 0;
+        }
+
+        ret =3D filter_redirector_send_chardev_iov(s, iov, iovcnt);
         if (ret < 0) {
             error_report("filter redirector send failed(%s)", strerror(-re=
t));
         } else if (ret > 0) {
-            /* Update outdev statistics on successful send */
             s->outdev_packets++;
             s->outdev_bytes +=3D ret;
         }
-        return iov_size(iov, iovcnt);
-    } else {
+        /*
+         * Without an active AF_PACKET capture socket, outdev mirroring is=
 a
+         * sideband copy only and must not consume the guest-bound packet.
+         */
         return 0;
     }
+
+    return 0;
 }
=20
 static void filter_mirror_cleanup(NetFilterState *nf)
@@ -444,6 +534,11 @@ static void redirector_rs_finalize(SocketReadState *rs)
     MirrorState *s =3D container_of(rs, MirrorState, rs);
     NetFilterState *nf =3D NETFILTER(s);
=20
+    if (s->outdev || filter_redirector_use_inject_netdev(nf)) {
+        filter_redirector_recv_from_chardev(nf, rs->buf, rs->packet_len);
+        return;
+    }
+
     /* Update indev statistics */
     s->indev_packets++;
     s->indev_bytes +=3D rs->packet_len;
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299755; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ffj42Nu8ZUjtedQpt//vyckkB5jgjsnGvyFfw4jqOdw0oXKRjIm0lsfbOsKkNUSUvbYKjPQfFHCxQS4a1Woczs3H4PP2d8wNNx8drt38iehjQ8r+IHWoYXfhUvtoBO+kKVhqHkjXKIs9bHnNWXDWbscqQj8hAu46wfdvQgWULys=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299755;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=b/Cx5BhQaOZNCa2vAX1kb6o68eYgtv5EzkoSngDiIJ4=;
	b=Mci3aImfINmQbCvKuPKeabYqZ+Hgp/aEheHVeFRuIL/dd+rTx0G6nqLKgcaWVSTMqTxPu9UwiZYt1SGHsMJ1V73uCXUeg/v5/mM0gC2wQNbluHQzw3LlYgRxg4nHFQNkrUzp9j8JGx14Um5eWT1HwaPzJpP5qs/HQQ8Okyo2fLs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299755931980.5842331412814;
 Thu, 12 Mar 2026 00:15:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aGV-0004ta-OZ; Thu, 12 Mar 2026 03:15:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGT-0004rp-KP
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:25 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGR-00008H-PQ
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:25 -0400
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-150-GqIb6kmAOcezgR2ZeLsZgg-1; Thu,
 12 Mar 2026 03:15:17 -0400
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 75C43197768B; Thu, 12 Mar 2026 07:15:16 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 0A29A19540C2; Thu, 12 Mar 2026 07:15:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299720;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=b/Cx5BhQaOZNCa2vAX1kb6o68eYgtv5EzkoSngDiIJ4=;
 b=QBa7cqO3wmTzhwmWceHa9EuaugZEPt6+HvyQ/K3Y20GJzctuu9gxKWMW590rrcgWt+Zxku
 xM7P8XtlJ8WoV2Hc/R/q9DGSFs3yFrIPFxBWn4A3KhGzYNptiU8Hsh4+ES0NLN0Uu5rIsC
 WLZdSFrCeJiR1KsmQ8LeukUxUJRChk0=
X-MC-Unique: GqIb6kmAOcezgR2ZeLsZgg-1
X-Mimecast-MFC-AGG-ID: GqIb6kmAOcezgR2ZeLsZgg_1773299716
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 6/9] net/filter: Add support for filter-buffer
Date: Thu, 12 Mar 2026 15:09:34 +0800
Message-ID: <20260312071415.1836655-7-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299774871158500
Content-Type: text/plain; charset="utf-8"

Allow filter-buffer on the same vhost backend as filter-redirector,
add an internal redirector-injected packet flag, and route indev packets
through the preceding filter-buffer before they are reinjected.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 include/net/queue.h |  5 +++
 net/filter-mirror.c | 98 +++++++++++++++++++++++++++++++++++++++++----
 net/filter.c        |  5 ++-
 3 files changed, 98 insertions(+), 10 deletions(-)

diff --git a/include/net/queue.h b/include/net/queue.h
index 2e686b1b61..213abe62ec 100644
--- a/include/net/queue.h
+++ b/include/net/queue.h
@@ -32,6 +32,11 @@ typedef void (NetPacketSent) (NetClientState *sender, ss=
ize_t ret);
=20
 #define QEMU_NET_PACKET_FLAG_NONE  0
 #define QEMU_NET_PACKET_FLAG_RAW  (1<<0)
+/*
+ * Internal marker used by filter-redirector when packets are injected from
+ * indev through filter-buffer before being reinjected.
+ */
+#define QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT (1<<1)
=20
 /* Returns:
  *   >0 - success
diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index 1ff58e1d27..dabf52275a 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -233,6 +233,73 @@ static ssize_t filter_redirector_send_netdev_iov(Mirro=
rState *s,
     return filter_redirector_send_netdev_packet(s, iov, iovcnt);
 }
=20
+static NetFilterState *filter_redirector_prev_in_direction(NetFilterState =
*nf,
+                                                           NetFilterDirect=
ion dir)
+{
+    if (dir =3D=3D NET_FILTER_DIRECTION_TX) {
+        return QTAILQ_PREV(nf, next);
+    }
+    return QTAILQ_NEXT(nf, next);
+}
+
+static NetFilterState *filter_redirector_find_buffer_before(NetFilterState=
 *nf,
+                                                            NetFilterDirec=
tion dir)
+{
+    NetFilterState *iter =3D filter_redirector_prev_in_direction(nf, dir);
+
+    while (iter) {
+        if ((iter->direction =3D=3D dir ||
+             iter->direction =3D=3D NET_FILTER_DIRECTION_ALL) &&
+            object_dynamic_cast(OBJECT(iter), "filter-buffer")) {
+            return iter;
+        }
+        iter =3D filter_redirector_prev_in_direction(iter, dir);
+    }
+
+    return NULL;
+}
+
+static bool filter_redirector_inject_to_buffer(NetFilterState *nf,
+                                               const uint8_t *buf,
+                                               int len)
+{
+    struct iovec iov =3D {
+        .iov_base =3D (void *)buf,
+        .iov_len =3D len,
+    };
+    NetFilterState *buffer;
+    bool injected =3D false;
+
+    if (nf->direction =3D=3D NET_FILTER_DIRECTION_ALL ||
+        nf->direction =3D=3D NET_FILTER_DIRECTION_TX) {
+        buffer =3D filter_redirector_find_buffer_before(nf,
+                                                      NET_FILTER_DIRECTION=
_TX);
+        if (buffer) {
+            qemu_netfilter_receive(buffer, NET_FILTER_DIRECTION_TX,
+                                   nf->netdev,
+                                   QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT,
+                                   &iov, 1, NULL);
+            injected =3D true;
+        }
+    }
+
+    if ((nf->direction =3D=3D NET_FILTER_DIRECTION_ALL ||
+         nf->direction =3D=3D NET_FILTER_DIRECTION_RX) &&
+        nf->netdev->peer) {
+        buffer =3D filter_redirector_find_buffer_before(nf,
+                                                      NET_FILTER_DIRECTION=
_RX);
+        if (buffer) {
+            qemu_netfilter_receive(buffer, NET_FILTER_DIRECTION_RX,
+                                   nf->netdev->peer,
+                                   QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT,
+                                   &iov, 1, NULL);
+            injected =3D true;
+        }
+    }
+
+    return injected;
+}
+
 static void redirector_to_filter(NetFilterState *nf,
                                  const uint8_t *buf,
                                  int len)
@@ -310,7 +377,6 @@ static void filter_redirector_recv_from_chardev(NetFilt=
erState *nf,
                                                         int len)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
-    bool inject_netdev =3D filter_redirector_use_inject_netdev(nf);
     ssize_t ret;
     struct iovec iov =3D {
         .iov_base =3D (void *)buf,
@@ -325,7 +391,11 @@ static void filter_redirector_recv_from_chardev(NetFil=
terState *nf,
     s->indev_packets++;
     s->indev_bytes +=3D len;
=20
-    if (inject_netdev) {
+    if (!s->outdev && filter_redirector_inject_to_buffer(nf, buf, len)) {
+        return;
+    }
+
+    if (s->out_netfd >=3D 0) {
         ret =3D filter_redirector_send_netdev_iov(s, &iov, 1);
         if (ret < 0) {
             error_report("filter redirector send failed(%s)", strerror(-re=
t));
@@ -446,16 +516,22 @@ static ssize_t filter_redirector_receive_iov(NetFilte=
rState *nf,
                                              NetPacketSent *sent_cb)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
-    bool capture_netdev =3D filter_redirector_use_capture_netdev(nf);
-    bool inject_netdev =3D filter_redirector_use_inject_netdev(nf);
     int ret;
=20
-    if (s->indev || inject_netdev) {
-        return 0;
+    if (s->out_netfd >=3D 0) {
+        if (!(flags & QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT)) {
+            return 0;
+        }
+
+        ret =3D filter_redirector_send_netdev_iov(s, iov, iovcnt);
+        if (ret < 0) {
+            error_report("filter redirector send failed(%s)", strerror(-re=
t));
+        }
+        return iov_size(iov, iovcnt);
     }
=20
-    if (capture_netdev || s->outdev) {
-        if (capture_netdev) {
+    if (s->outdev) {
+        if (s->in_netfd >=3D 0) {
             return 0;
         }
=20
@@ -473,6 +549,12 @@ static ssize_t filter_redirector_receive_iov(NetFilter=
State *nf,
         return 0;
     }
=20
+    if (s->indev) {
+        if (!(flags & QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT)) {
+            return 0;
+        }
+    }
+
     return 0;
 }
=20
diff --git a/net/filter.c b/net/filter.c
index b9646b9e00..cc23e743cf 100644
--- a/net/filter.c
+++ b/net/filter.c
@@ -260,8 +260,9 @@ static void netfilter_complete(UserCreatable *uc, Error=
 **errp)
         bool buffer =3D object_dynamic_cast(OBJECT(uc), "filter-buffer");
         bool vhost_filter =3D redirector || buffer;
=20
-        if (!redirector) {
-            error_setg(errp, "Vhost is not supported");
+        if (!vhost_filter) {
+            error_setg(errp, "Vhost only supports filter-redirector and "
+                             "filter-buffer");
             return;
         }
         if (vhost_filter && ncs[0]->info->type !=3D NET_CLIENT_DRIVER_TAP)=
 {
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299793; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mEtdWm/ly0WU3UgVvwAvNwdN+onXOQVk+Xu39koUyR0U5spKF9MZ/522Kxfqt9q7EiBeZH39yq7kUQ/Po+AJPFPp3+ov/G4aVzcPkGuN6i9cjtqLQjZgHqaV0yVWWGp1OJVlbQbtps1qraXCCDuI7B0WHajLhQa6J3OCpHgX0Ug=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299793;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=ARJckNFV7lxLiDyqSx4CiZiaQcGSW8eGYbJQBu9N1Fw=;
	b=KGQtB9AS4kJVyyu4yhmhEG/Wv+WJ6N/kS55Y/hyhtJv44Eqoj5v/OghQ9aZNQpiNaPKs/b9IbtPtdokiEe/5O0x1yZHn2tbJ4jUdtWs79NxcQcTatR793v8qVeKmVGVBqy8r2fj3xhAYM2Lcdbxl3Fw0tSSkMcbukyckhgkaF10=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299793860601.7927379074674;
 Thu, 12 Mar 2026 00:16:33 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aGX-0004uE-3d; Thu, 12 Mar 2026 03:15:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGV-0004tf-QH
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:27 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGU-0000Lh-Bz
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:27 -0400
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-90-nn4R5ePHPOa05dMGp6264Q-1; Thu,
 12 Mar 2026 03:15:22 -0400
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 7962D180047F; Thu, 12 Mar 2026 07:15:21 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 0B7F819540C2; Thu, 12 Mar 2026 07:15:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299725;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=ARJckNFV7lxLiDyqSx4CiZiaQcGSW8eGYbJQBu9N1Fw=;
 b=FDPUKGo4VChLAVxORfhlVj9ZvSakqvO5sLJrmqRvUOmR5x39MIbdi0n+PpxppMrE0mHL2t
 PU86/F2EceoMx6bnFT37gKPYv/TwPsq6+HAjK0xsVyqortsSzw/QGc0uNXYHCRJa/MS5Go
 mJ7fbAAubWNVtddtWzQ1rw+S52bI4Wg=
X-MC-Unique: nn4R5ePHPOa05dMGp6264Q-1
X-Mimecast-MFC-AGG-ID: nn4R5ePHPOa05dMGp6264Q_1773299721
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 7/9] virtio-net: keep tap read polling disabled while vhost
 owns RX
Date: Thu, 12 Mar 2026 15:09:35 +0800
Message-ID: <20260312071415.1836655-8-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299795829154100
Content-Type: text/plain; charset="utf-8"

virtio_net_backend_read_poll_set() re-enables TAP read polling on
vmstart even when kernel vhost has already taken over RX.

That lets QEMU userspace and vhost race on the same tap fd and can
corrupt the restored virtqueue state during migration switchover.

Keep read_poll disabled for TAP backends with a started vhost_net, while
leaving pure userspace backends unchanged.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 hw/net/virtio-net.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index d6d2188863..616590fb82 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1322,9 +1322,19 @@ static void virtio_net_backend_read_poll_set(VirtION=
et *n, bool enable)
     for (i =3D 0; i < (int)n->max_ncs; i++) {
         NetClientState *frontend =3D qemu_get_subqueue(n->nic, i);
         NetClientState *backend =3D frontend ? frontend->peer : NULL;
+        bool backend_enable =3D enable;
=20
         if (backend && backend->info && backend->info->read_poll) {
-            backend->info->read_poll(backend, enable);
+            /*
+             * When vhost is active, the kernel backend owns the tap RX pa=
th.
+             * Re-enabling QEMU read_poll on vmstart makes userspace and v=
host
+             * race on the same tap fd, which can corrupt the restored RX =
ring
+             * during migration switchover replay.
+             */
+            if (enable && get_vhost_net(backend) && n->vhost_started) {
+                backend_enable =3D false;
+            }
+            backend->info->read_poll(backend, backend_enable);
         }
     }
 }
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299792; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YhZDG6BebIJ4MPcpCcVrUw+S4tgL/uVZ7WiCTDEIKtX9UIbXQHw5nNxdrGPTsKCcuORH7vpLkBbr2OYISw07q4IPAR8SR+lrfZ3fHSij4pwQIq/a3X7mXACl7IC2dgXekTJWCfEgexgbVnT34XDpbGjAuOvu3mWkgLCfquGNqmQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299792;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=zoqm4IOr0n5qGBJHI6uKZ5VJOLDmV3ZKkec2FGaY77A=;
	b=I6BJ/i7xQjJf8BSnKZKCZuctaesEFpoWAzgizmUx8Yf1MEh2GW0MBTRsQsEBZfIox29T29zWIE2ILnCBzscIXBB5DeHo9Gr0impe6BB5J90Z9aEdiEAA73sADfbToRMgy8QySQeYdJ5Zd5zopF7Mbv/HFd7hn1CPIW7YM9+KlZE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299792178108.45610876553519;
 Thu, 12 Mar 2026 00:16:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aH1-00068h-I8; Thu, 12 Mar 2026 03:15:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGv-00060N-OS
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:54 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGt-0001di-9P
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:53 -0400
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-152-vRqcH31sPCKHzxgcGVGJ0A-1; Thu,
 12 Mar 2026 03:15:48 -0400
Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 7A5CA195609E; Thu, 12 Mar 2026 07:15:47 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id E6F181800107; Thu, 12 Mar 2026 07:15:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299750;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=zoqm4IOr0n5qGBJHI6uKZ5VJOLDmV3ZKkec2FGaY77A=;
 b=VzDjnj6Kr6cgj785WQ6UggAi3YBbXVaJ8LgFn7I06ubWrNceVDO67Xo6AUHykyxKniM57n
 dE5OSJSe3n5GhWMwqel3LHy7LLZKoLjJ4vPhm3D4x5pXvC991a/eOY8Mm9dGR/bx4f7yje
 BBGdJ3W+oatv3yLlf3m1Llh5wPS+zTw=
X-MC-Unique: vRqcH31sPCKHzxgcGVGJ0A-1
X-Mimecast-MFC-AGG-ID: vRqcH31sPCKHzxgcGVGJ0A_1773299747
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 8/9] virtio-net: handle short vnet headers on replay RX
Date: Thu, 12 Mar 2026 15:09:36 +0800
Message-ID: <20260312071415.1836655-9-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299816811154100
Content-Type: text/plain; charset="utf-8"

During switchover replay, packets injected through AF_PACKET can come
back from the bridge with a 10-byte virtio_net_hdr even though QEMU
expects a 12-byte merged-rxbuf header. The missing two bytes shift the
Ethernet frame and corrupt the packet seen by the guest.

Detect this case by comparing the EtherType at the expected position
with the value two bytes earlier. When only the shifted position
contains a recognized protocol, reduce the effective host header length
by two for this packet.

Only apply the heuristic while vhost is running, and carry the adjusted
header length through the normal receive path without copying the
buffer.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 hw/net/virtio-net.c | 54 ++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 5 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 616590fb82..29dbe3d8d5 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -144,6 +144,36 @@ static int vq2q(int queue_index)
     return queue_index / 2;
 }
=20
+static bool virtio_net_rx_known_ethertype(uint16_t proto)
+{
+    if (proto <=3D 1500) {
+        /* IEEE 802.3 length field */
+        return true;
+    }
+
+    switch (proto) {
+    case ETH_P_IP:
+    case ETH_P_IPV6:
+    case ETH_P_ARP:
+    case ETH_P_VLAN:
+    case ETH_P_DVLAN:
+    case 0x0842: /* Wake-on-LAN */
+    case 0x22f0: /* IEEE 802.1Qbe / TSN */
+    case 0x8809: /* Slow protocols / LACP */
+    case 0x8863: /* PPPoE discovery */
+    case 0x8864: /* PPPoE session */
+    case 0x8906: /* FCoE */
+    case 0x8914: /* FCoE Init */
+    case 0x88cc: /* LLDP */
+    case 0x88e1: /* HomePlug AV */
+    case 0x88f7: /* PTP */
+    case 0x8915: /* RoCE */
+        return true;
+    default:
+        return false;
+    }
+}
+
 static void flush_or_purge_queued_packets(NetClientState *nc)
 {
     if (!nc->peer) {
@@ -1780,7 +1810,8 @@ static void receive_header(VirtIONet *n, const struct=
 iovec *iov, int iov_cnt,
     }
 }
=20
-static int receive_filter(VirtIONet *n, const uint8_t *buf, int size)
+static int receive_filter(VirtIONet *n, const uint8_t *buf, int size,
+                          size_t host_hdr_len)
 {
     static const uint8_t bcast[] =3D {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
     static const uint8_t vlan[] =3D {0x81, 0x00};
@@ -1790,7 +1821,7 @@ static int receive_filter(VirtIONet *n, const uint8_t=
 *buf, int size)
     if (n->promisc)
         return 1;
=20
-    ptr +=3D n->host_hdr_len;
+    ptr +=3D host_hdr_len;
=20
     if (!memcmp(&ptr[12], vlan, sizeof(vlan))) {
         int vid =3D lduw_be_p(ptr + 14) & 0xfff;
@@ -1955,12 +1986,25 @@ static ssize_t virtio_net_receive_rcu(NetClientStat=
e *nc, const uint8_t *buf,
     QEMU_UNINITIALIZED size_t lens[VIRTQUEUE_MAX_SIZE];
     QEMU_UNINITIALIZED struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
     struct virtio_net_hdr_v1_hash extra_hdr;
+    size_t host_hdr_len =3D n->host_hdr_len;
     unsigned mhdr_cnt =3D 0;
     size_t offset, i, guest_offset, j;
     ssize_t err;
=20
     memset(&extra_hdr, 0, sizeof(extra_hdr));
=20
+    if (n->vhost_started &&
+        host_hdr_len >=3D 12 &&
+        size >=3D host_hdr_len + ETH_HLEN) {
+        uint16_t et_at_host =3D lduw_be_p(buf + host_hdr_len + 12);
+        uint16_t et_at_m2  =3D lduw_be_p(buf + host_hdr_len + 10);
+
+        if (!virtio_net_rx_known_ethertype(et_at_host) &&
+            virtio_net_rx_known_ethertype(et_at_m2)) {
+            host_hdr_len -=3D 2;
+        }
+    }
+
     if (n->rss_data.enabled && n->rss_data.enabled_software_rss) {
         int index =3D virtio_net_process_rss(nc, buf, size, &extra_hdr);
         if (index >=3D 0) {
@@ -1975,11 +2019,11 @@ static ssize_t virtio_net_receive_rcu(NetClientStat=
e *nc, const uint8_t *buf,
     q =3D virtio_net_get_subqueue(nc);
=20
     /* hdr_len refers to the header we supply to the guest */
-    if (!virtio_net_has_buffers(q, size + n->guest_hdr_len - n->host_hdr_l=
en)) {
+    if (!virtio_net_has_buffers(q, size + n->guest_hdr_len - host_hdr_len)=
) {
         return 0;
     }
=20
-    if (!receive_filter(n, buf, size))
+    if (!receive_filter(n, buf, size, host_hdr_len))
         return size;
=20
     offset =3D i =3D 0;
@@ -2041,7 +2085,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState =
*nc, const uint8_t *buf,
                              sizeof(extra_hdr.hash_value) +
                              sizeof(extra_hdr.hash_report));
             }
-            offset =3D n->host_hdr_len;
+            offset =3D host_hdr_len;
             total +=3D n->guest_hdr_len;
             guest_offset =3D n->guest_hdr_len;
         } else {
--=20
2.52.0
From nobody Tue Apr  7 18:04:52 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299789; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Y2khiOGeLIT5RByFDlpPsRu4ava1Pa1dnVEIxV85IOkA9TSLYNa3CvMVRTTk1WOmSgSTyWA3tT3jPbELVsjlMGX/dH2TTdBWQsMWwinuQCdaMV2IOat9uyjriWPjrzVWbu/GpMT1ajA8Kgh+lJ9S0qZshRQ4dChUMLvYdSWZKnY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299789;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=7TP4pcyGvQDh1DUUtvcRt7y8rlEbVtZORgehPcPMHGA=;
	b=aPUbz8Fx7Z9ncavwCtbkBvVwLPfV1XpZoCTWoZeMdLaAOBowmxEd5DeqsTYhZewM2IUSN3IXb3pfkWV+ejfe66YCg0pYAhP5IhsIXtKX0DzJ7a3tByn8tr98Mjh8E4BB7GLx0cgnmTDKwo5kBNB+smGX7Z/cSgRSZJTpx2ZWG6w=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299789143614.2899793537764;
 Thu, 12 Mar 2026 00:16:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aHN-0006Op-5A; Thu, 12 Mar 2026 03:16:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aH2-0006Dh-TJ
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:16:01 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aH0-0001t1-8O
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:16:00 -0400
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-228-9kIESzKbPmWOpEAJhjSnNw-1; Thu,
 12 Mar 2026 03:15:53 -0400
Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id D343518005B6; Thu, 12 Mar 2026 07:15:51 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 3ABED1800107; Thu, 12 Mar 2026 07:15:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299756;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=7TP4pcyGvQDh1DUUtvcRt7y8rlEbVtZORgehPcPMHGA=;
 b=MiN+78PGb56Rt1v45TvmZ03Q0n6BdUYxTyDo+FkLxCWwfVcS7QrobhhDcMYyUgeeW2lqCf
 tMsZftKIhGAvVLBZlaFsSg6DmfkDur7Gp/aFQ8fB3LMTRluWZkA5gBsxDbLqtngd5l/H+u
 udc6/fP5oM1tx7vH3v+v6eSBoqh0NHo=
X-MC-Unique: 9kIESzKbPmWOpEAJhjSnNw-1
X-Mimecast-MFC-AGG-ID: 9kIESzKbPmWOpEAJhjSnNw_1773299752
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 9/9] net/filter-redirector: check CAP_NET_RAW before creating
 AF_PACKET
Date: Thu, 12 Mar 2026 15:09:37 +0800
Message-ID: <20260312071415.1836655-10-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299791081158500
Content-Type: text/plain; charset="utf-8"

Creating an AF_PACKET SOCK_RAW socket requires the CAP_NET_RAW
capability.  Without it the qemu_socket() call fails with EPERM,
producing a generic error that gives no hint about the missing
capability.

Add an explicit capget()-based check in filter_redirector_netdev_setup()
before the socket call.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 net/filter-mirror.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index dabf52275a..a07ae61b2d 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -34,6 +34,8 @@
 #include <net/if.h>
 #include <linux/if_packet.h>
 #include <netinet/if_ether.h>
+#include <linux/capability.h>
+#include <sys/syscall.h>
=20
 typedef struct MirrorState MirrorState;
 DECLARE_INSTANCE_CHECKER(MirrorState, FILTER_MIRROR,
@@ -690,6 +692,21 @@ static void filter_redirector_maybe_enable_read_poll(N=
etFilterState *nf)
     }
 }
=20
+static bool filter_redirector_has_cap_net_raw(void)
+{
+    struct __user_cap_header_struct hdr =3D {
+        .version =3D _LINUX_CAPABILITY_VERSION_3,
+        .pid =3D 0,
+    };
+    struct __user_cap_data_struct data[2] =3D {};
+
+    if (syscall(SYS_capget, &hdr, data) < 0) {
+        return false;
+    }
+
+    return data[CAP_NET_RAW >> 5].effective & (1u << (CAP_NET_RAW & 31));
+}
+
 static bool filter_redirector_netdev_setup(NetFilterState *nf, Error **err=
p)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
@@ -724,6 +741,13 @@ static bool filter_redirector_netdev_setup(NetFilterSt=
ate *nf, Error **errp)
         return false;
     }
=20
+    if (!filter_redirector_has_cap_net_raw()) {
+        error_setg(errp,
+                   "AF_PACKET raw socket requires CAP_NET_RAW; "
+                   "run with 'setcap cap_net_raw+ep <qemu-binary>' or as r=
oot");
+        return false;
+    }
+
     fd =3D qemu_socket(AF_PACKET, SOCK_RAW | SOCK_NONBLOCK, htons(ETH_P_AL=
L));
     if (fd < 0) {
         error_setg_errno(errp, errno, "failed to create AF_PACKET socket");
--=20
2.52.0