Re: [Qemu-devel] [PATCH v2 5/9] netfilter: hook packets before net queue send

[Yang Hongyang <yanghy@cn.fujitsu.com>]

On 07/31/2015 05:09 PM, Jason Wang wrote:
>
>
> On 07/31/2015 04:24 PM, Yang Hongyang wrote:
>>
>>
>> On 07/31/2015 02:06 PM, Jason Wang wrote:
>>>
>>>
>>> On 07/31/2015 12:13 PM, Yang Hongyang wrote:
>>>> Capture packets that will be sent.
>>>>
>>>> Signed-off-by: Yang Hongyang <yanghy@cn.fujitsu.com>
>>>> ---
>>>>    include/net/filter.h |  8 +++++++
>>>>    net/filter.c         |  1 +
>>>>    net/net.c            | 67
>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++-
>>>>    3 files changed, 75 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/include/net/filter.h b/include/net/filter.h
>>>> index 1b6f896..93579c1 100644
>>>> --- a/include/net/filter.h
>>>> +++ b/include/net/filter.h
>>>> @@ -19,11 +19,19 @@ enum {
>>>>    };
>>>>
>>>>    typedef void (FilterCleanup) (NetFilterState *);
>>>> +/*
>>>> + * Return:
>>>> + *   0: finished handling the packet, we should continue
>>>> + *   size: filter stolen this packet, we stop pass this packet further
>>>> + */
>>>> +typedef ssize_t (FilterReceiveIOV)(NetFilterState *, NetClientState
>>>> *sender,
>>>> +                                   unsigned flags, const struct
>>>> iovec *, int);
>>>>
>>>>    typedef struct NetFilterInfo {
>>>>        NetFilterOptionsKind type;
>>>>        size_t size;
>>>>        FilterCleanup *cleanup;
>>>> +    FilterReceiveIOV *receive_iov;
>>>
>>> Please move this to patch 2.
>>
>> Ok, thanks!
>>
>>>
>>>>    } NetFilterInfo;
>>>>
>>>>    struct NetFilterState {
>>>> diff --git a/net/filter.c b/net/filter.c
>>>> index b3a2285..1ae9344 100644
>>>> --- a/net/filter.c
>>>> +++ b/net/filter.c
>>>> @@ -29,6 +29,7 @@ NetFilterState *qemu_new_net_filter(NetFilterInfo
>>>> *info,
>>>>        NetFilterState *nf;
>>>>
>>>>        assert(info->size >= sizeof(NetFilterState));
>>>> +    assert(info->receive_iov);
>>>>
>>>>        nf = g_malloc0(info->size);
>>>>        nf->info = info;
>>>> diff --git a/net/net.c b/net/net.c
>>>> index 22748e0..b55d934 100644
>>>> --- a/net/net.c
>>>> +++ b/net/net.c
>>>> @@ -24,6 +24,7 @@
>>>>    #include "config-host.h"
>>>>
>>>>    #include "net/net.h"
>>>> +#include "net/filter.h"
>>>>    #include "clients.h"
>>>>    #include "hub.h"
>>>>    #include "net/slirp.h"
>>>> @@ -592,6 +593,42 @@ int qemu_can_send_packet(NetClientState *sender)
>>>>        return 1;
>>>>    }
>>>>
>>>> +static ssize_t filter_receive_iov(NetClientState *nc, int chain,
>>>> +                                  NetClientState *sender,
>>>> +                                  unsigned flags,
>>>> +                                  const struct iovec *iov,
>>>> +                                  int iovcnt) {
>>>> +    ssize_t ret = 0;
>>>> +    Filter *filter = NULL;
>>>> +    NetFilterState *nf = NULL;
>>>> +    ssize_t size = iov_size(iov, iovcnt);
>>>> +
>>>> +    QTAILQ_FOREACH(filter, &nc->filters, next) {
>>>> +        nf = filter->nf;
>>>> +        if (nf->chain == chain || nf->chain == NET_FILTER_ALL) {
>>>> +            ret = nf->info->receive_iov(nf, sender, flags, iov,
>>>> iovcnt);
>>>> +            if (ret == size) {
>>>> +                return ret;
>>>> +            }
>>>> +        }
>>>> +    }
>>>
>>> So if a packet is being stolen or blocked by one filter, it could only
>>> be flushed to destination? I think we need an API to flush it into next
>>> filter.
>>
>> Yes, we could, just call next filter's receive_iov, do I need to
>> introduce
>> the API now in this series? or introduce later when we actually need it?
>
> Consider it is a public API. better in this patch.

Ok, thanks, will add a patch to do this.

> .
>

-- 
Thanks,
Yang.