[Qemu-devel] [PATCH v4 0/4] Netfilter: Add each netdev a default filter

[Qemu-devel] [PATCH v4 0/4] Netfilter: Add each netdev a default filter

[zhanghailiang]

This series is a prerequisite for COLO, here we add each netdev
a default buffer filter, it is disabled by default, and has
no side effect for delivering packets in net layer.

ChangeLog:
v4:
 - Rename helper netdev_add_filter() to netdev_add_default_filter()
   and drop the is_default parameter (HongYang)
 - Rename DEFAULT_FILTER_TYPE to DEFAULT_FILTER_ID

v3:
 - Drop patch '[PATCH RFC v2 2/5] vl: Make object_create() public'
 - Use object_new_with_props() instead of object_create() (Daniel)
v2:
 - Drop the patch net/filter: prevent the default filter to be deleted' (Jason)
 - Re-implement netdev_add_filter() by re-using object_object() (Jason)
 - Send patch 'net/filter: Fix the output information for command 'info
   network' as an independent one. (Jason)

zhanghailiang (4):
  net/filter: Add a 'status' property for filter object
  net/filter: Introduce a helper to add a filter to the netdev
  filter-buffer: Accept zero interval
  net/filter: Add a default filter to each netdev

 include/net/filter.h | 11 +++++++
 net/filter-buffer.c  | 10 ------
 net/filter.c         | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 net/net.c            | 22 ++++++++++++++
 4 files changed, 119 insertions(+), 10 deletions(-)

-- 
1.8.3.1

[Qemu-devel] [PATCH v4 1/4] net/filter: Add a 'status' property for filter object

[zhanghailiang]

With this property, users can control if this filter is 'enable'
or 'disable'. The default behavior for filter is enabled.

We will skip the disabled filter when delivering packets in net layer.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
---
v2:
 - Squash previous patch 3 into this patch (Jason's suggestion)
---
 include/net/filter.h |  1 +
 net/filter.c         | 45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/include/net/filter.h b/include/net/filter.h
index 5639976..af3c53c 100644
--- a/include/net/filter.h
+++ b/include/net/filter.h
@@ -55,6 +55,7 @@ struct NetFilterState {
     char *netdev_id;
     NetClientState *netdev;
     NetFilterDirection direction;
+    bool enabled;
     QTAILQ_ENTRY(NetFilterState) next;
 };
 
diff --git a/net/filter.c b/net/filter.c
index d2a514e..5551cf1 100644
--- a/net/filter.c
+++ b/net/filter.c
@@ -17,6 +17,11 @@
 #include "qom/object_interfaces.h"
 #include "qemu/iov.h"
 
+static inline bool qemu_need_skip_netfilter(NetFilterState *nf)
+{
+    return nf->enabled ? false : true;
+}
+
 ssize_t qemu_netfilter_receive(NetFilterState *nf,
                                NetFilterDirection direction,
                                NetClientState *sender,
@@ -25,6 +30,10 @@ ssize_t qemu_netfilter_receive(NetFilterState *nf,
                                int iovcnt,
                                NetPacketSent *sent_cb)
 {
+    /* Don't go through the filter if it is disabled */
+    if (qemu_need_skip_netfilter(nf)) {
+        return 0;
+    }
     if (nf->direction == direction ||
         nf->direction == NET_FILTER_DIRECTION_ALL) {
         return NETFILTER_GET_CLASS(OBJECT(nf))->receive_iov(
@@ -134,8 +143,41 @@ static void netfilter_set_direction(Object *obj, int direction, Error **errp)
     nf->direction = direction;
 }
 
+static char *netfilter_get_status(Object *obj, Error **errp)
+{
+    NetFilterState *nf = NETFILTER(obj);
+
+    if (nf->enabled) {
+        return g_strdup("enable");
+    } else {
+        return g_strdup("disable");
+    }
+}
+
+static void netfilter_set_status(Object *obj, const char *str, Error **errp)
+{
+    NetFilterState *nf = NETFILTER(obj);
+
+    if (!strcmp(str, "enable")) {
+        nf->enabled = true;
+    } else if (!strcmp(str, "disable")) {
+        nf->enabled = false;
+    } else {
+        error_setg(errp, "Invalid value for netfilter status, "
+                         "should be 'enable' or 'disable'");
+    }
+}
+
 static void netfilter_init(Object *obj)
 {
+    NetFilterState *nf = NETFILTER(obj);
+
+    /*
+    * If not configured with 'status' property, the default status
+    * for netfilter will be enabled.
+    */
+    nf->enabled = true;
+
     object_property_add_str(obj, "netdev",
                             netfilter_get_netdev_id, netfilter_set_netdev_id,
                             NULL);
@@ -143,6 +185,9 @@ static void netfilter_init(Object *obj)
                              NetFilterDirection_lookup,
                              netfilter_get_direction, netfilter_set_direction,
                              NULL);
+    object_property_add_str(obj, "status",
+                            netfilter_get_status, netfilter_set_status,
+                            NULL);
 }
 
 static void netfilter_complete(UserCreatable *uc, Error **errp)
-- 
1.8.3.1

[Qemu-devel] [PATCH v4 2/4] net/filter: Introduce a helper to add a filter to the netdev

[zhanghailiang]

We add a new helper function netdev_add_default_filter(),
this function can help adding a filter object to a netdev.
Besides, we add a is_default member for struct NetFilterState
to indicate whether the filter is default or not.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
---
v4:
 - Rename netdev_add_filter() to netdev_add_default_filter()
 - Drop useless is_default parameter for netdev_add_default_filter()
   (Hongyang's suggestion)
v3:
 - Use object_new_with_props() instead of object_create()
  (Daniel's suggestion)
v2:
 - Re-implement netdev_add_filter() by re-using object_create()
  (Jason's suggestion)
---
 include/net/filter.h |  6 ++++++
 net/filter.c         | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/include/net/filter.h b/include/net/filter.h
index af3c53c..b42f473 100644
--- a/include/net/filter.h
+++ b/include/net/filter.h
@@ -55,6 +55,7 @@ struct NetFilterState {
     char *netdev_id;
     NetClientState *netdev;
     NetFilterDirection direction;
+    bool is_default;
     bool enabled;
     QTAILQ_ENTRY(NetFilterState) next;
 };
@@ -74,4 +75,9 @@ ssize_t qemu_netfilter_pass_to_next(NetClientState *sender,
                                     int iovcnt,
                                     void *opaque);
 
+void netdev_add_default_filter(const char *netdev_id,
+                               const char *filter_type,
+                               const char *filter_id,
+                               Error **errp);
+
 #endif /* QEMU_NET_FILTER_H */
diff --git a/net/filter.c b/net/filter.c
index 5551cf1..079dc4c 100644
--- a/net/filter.c
+++ b/net/filter.c
@@ -177,6 +177,7 @@ static void netfilter_init(Object *obj)
     * for netfilter will be enabled.
     */
     nf->enabled = true;
+    nf->is_default = false;
 
     object_property_add_str(obj, "netdev",
                             netfilter_get_netdev_id, netfilter_set_netdev_id,
@@ -232,6 +233,46 @@ static void netfilter_complete(UserCreatable *uc, Error **errp)
     QTAILQ_INSERT_TAIL(&nf->netdev->filters, nf, next);
 }
 
+/*
+ * Attach a default filter to the netdev, the default
+ * filter will be disabled by default, and it will be
+ * used internally, the net packets will not pass through
+ * it before it is enabled.
+ */
+void netdev_add_default_filter(const char *netdev_id,
+                               const char *filter_type,
+                               const char *filter_id,
+                               Error **errp)
+{
+    NetClientState *nc = qemu_find_netdev(netdev_id);
+    Object *filter;
+    NetFilterState *nf;
+    Error *local_err = NULL;
+
+    /* FIXME: Not support multiple queues */
+    if (!nc || nc->queue_index > 1) {
+        return;
+    }
+    /* Not support vhost-net */
+    if (get_vhost_net(nc)) {
+        return;
+    }
+
+    filter = object_new_with_props(filter_type,
+                        object_get_objects_root(),
+                        filter_id,
+                        &local_err,
+                        "netdev", netdev_id,
+                        "status", "disable",
+                        NULL);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        return;
+    }
+    nf = NETFILTER(filter);
+    nf->is_default = true;
+}
+
 static void netfilter_finalize(Object *obj)
 {
     NetFilterState *nf = NETFILTER(obj);
-- 
1.8.3.1

[Qemu-devel] [PATCH v4 3/4] filter-buffer: Accept zero interval

[zhanghailiang]

We may want to accept zero interval when VM FT solutions like MC
or COLO use this filter to release packets on demand.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Yang Hongyang <hongyang.yang@easystack.cn>
---
 net/filter-buffer.c | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/net/filter-buffer.c b/net/filter-buffer.c
index 2353d5b..58cea8f 100644
--- a/net/filter-buffer.c
+++ b/net/filter-buffer.c
@@ -104,16 +104,6 @@ static void filter_buffer_setup(NetFilterState *nf, Error **errp)
 {
     FilterBufferState *s = FILTER_BUFFER(nf);
 
-    /*
-     * We may want to accept zero interval when VM FT solutions like MC
-     * or COLO use this filter to release packets on demand.
-     */
-    if (!s->interval) {
-        error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "interval",
-                   "a non-zero interval");
-        return;
-    }
-
     s->incoming_queue = qemu_new_net_queue(qemu_netfilter_pass_to_next, nf);
     if (s->interval) {
         timer_init_us(&s->release_timer, QEMU_CLOCK_VIRTUAL,
-- 
1.8.3.1

[Qemu-devel] [PATCH v4 4/4] net/filter: Add a default filter to each netdev

[zhanghailiang]

We add each netdev a default buffer filter, and
the default buffer filter is disabled, so it has
no side effect for packets delivering in qemu net layer.

The default buffer filter can be used by COLO or Micro-checkpoint,
The reason we add the default filter is we hope to support
hot add network during COLO state in future.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
---
v4:
 - Rname DEFAULT_FILTER_TYPE to DEFAULT_FILTER_ID
v2:
- Add codes that generate id automatically for default filter
  (Jason's suggestion)
- Some other minor fixes.
---
 include/net/filter.h |  4 ++++
 net/net.c            | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/include/net/filter.h b/include/net/filter.h
index b42f473..f7ca794 100644
--- a/include/net/filter.h
+++ b/include/net/filter.h
@@ -22,6 +22,10 @@
 #define NETFILTER_CLASS(klass) \
     OBJECT_CLASS_CHECK(NetFilterClass, (klass), TYPE_NETFILTER)
 
+#define DEFAULT_FILTER_ID "nop"
+
+#define TYPE_FILTER_BUFFER "filter-buffer"
+
 typedef void (FilterSetup) (NetFilterState *nf, Error **errp);
 typedef void (FilterCleanup) (NetFilterState *nf);
 /*
diff --git a/net/net.c b/net/net.c
index c5e414f..b882d98 100644
--- a/net/net.c
+++ b/net/net.c
@@ -77,6 +77,12 @@ const char *host_net_devices[] = {
 
 int default_net = 1;
 
+/*
+ * TODO: Export this with an option for users to control
+ * this with comand line ?
+ */
+char default_netfilter_type[16] = TYPE_FILTER_BUFFER;
+
 /***********************************************************/
 /* network device redirectors */
 
@@ -1039,6 +1045,22 @@ static int net_client_init1(const void *object, int is_netdev, Error **errp)
         }
         return -1;
     }
+
+    if (is_netdev) {
+        const Netdev *netdev = object;
+        char filter_name[128];
+
+        snprintf(filter_name, sizeof(filter_name),
+                "%s%s", netdev->id, DEFAULT_FILTER_ID);
+        /*
+        * Here we add each netdev a default filter,
+        * it will disabled by default, Users can enable it when necessary.
+        */
+        netdev_add_default_filter(netdev->id,
+                       default_netfilter_type,
+                       filter_name,
+                       errp);
+    }
     return 0;
 }
 
-- 
1.8.3.1