From f6d3afb51f47af7bbc600c48cd54003a0b6d0f5e Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Tue, 15 Mar 2016 15:41:33 +0800 Subject: [PATCH 1/7] net/filter-mirror:Add filter-mirror Filter-mirror is a netfilter plugin. It gives qemu the ability to mirror packets to a chardev. usage: -netdev tap,id=hn0 -chardev socket,id=mirror0,host=ip_primary,port=X,server,nowait -filter-mirror,id=m0,netdev=hn0,queue=tx/rx/all,outdev=mirror0 Signed-off-by: Zhang Chen Signed-off-by: Wen Congyang Reviewed-by: Yang Hongyang Reviewed-by: zhanghailiang Signed-off-by: Jason Wang --- net/Makefile.objs | 1 + net/filter-mirror.c | 183 ++++++++++++++++++++++++++++++++++++++++++++ qemu-options.hx | 5 ++ vl.c | 3 +- 4 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 net/filter-mirror.c diff --git a/net/Makefile.objs b/net/Makefile.objs index 5fa2f9731d..b7c22fddbf 100644 --- a/net/Makefile.objs +++ b/net/Makefile.objs @@ -15,3 +15,4 @@ common-obj-$(CONFIG_VDE) += vde.o common-obj-$(CONFIG_NETMAP) += netmap.o common-obj-y += filter.o common-obj-y += filter-buffer.o +common-obj-y += filter-mirror.o diff --git a/net/filter-mirror.c b/net/filter-mirror.c new file mode 100644 index 0000000000..37bfe80392 --- /dev/null +++ b/net/filter-mirror.c @@ -0,0 +1,183 @@ +/* + * Copyright (c) 2016 HUAWEI TECHNOLOGIES CO., LTD. + * Copyright (c) 2016 FUJITSU LIMITED + * Copyright (c) 2016 Intel Corporation + * + * Author: Zhang Chen + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "net/filter.h" +#include "net/net.h" +#include "qemu-common.h" +#include "qapi/error.h" +#include "qapi/qmp/qerror.h" +#include "qapi-visit.h" +#include "qom/object.h" +#include "qemu/main-loop.h" +#include "qemu/error-report.h" +#include "trace.h" +#include "sysemu/char.h" +#include "qemu/iov.h" +#include "qemu/sockets.h" + +#define FILTER_MIRROR(obj) \ + OBJECT_CHECK(MirrorState, (obj), TYPE_FILTER_MIRROR) + +#define TYPE_FILTER_MIRROR "filter-mirror" + +typedef struct MirrorState { + NetFilterState parent_obj; + char *outdev; + CharDriverState *chr_out; +} MirrorState; + +static int filter_mirror_send(NetFilterState *nf, + const struct iovec *iov, + int iovcnt) +{ + MirrorState *s = FILTER_MIRROR(nf); + int ret = 0; + ssize_t size = 0; + uint32_t len = 0; + char *buf; + + size = iov_size(iov, iovcnt); + if (!size) { + return 0; + } + + len = htonl(size); + ret = qemu_chr_fe_write_all(s->chr_out, (uint8_t *)&len, sizeof(len)); + if (ret != sizeof(len)) { + goto err; + } + + buf = g_malloc(size); + iov_to_buf(iov, iovcnt, 0, buf, size); + ret = qemu_chr_fe_write_all(s->chr_out, (uint8_t *)buf, size); + g_free(buf); + if (ret != size) { + goto err; + } + + return 0; + +err: + return ret < 0 ? ret : -EIO; +} + +static ssize_t filter_mirror_receive_iov(NetFilterState *nf, + NetClientState *sender, + unsigned flags, + const struct iovec *iov, + int iovcnt, + NetPacketSent *sent_cb) +{ + int ret; + + ret = filter_mirror_send(nf, iov, iovcnt); + if (ret) { + error_report("filter_mirror_send failed(%s)", strerror(-ret)); + } + + /* + * we don't hope this error interrupt the normal + * path of net packet, so we always return zero. + */ + return 0; +} + +static void filter_mirror_cleanup(NetFilterState *nf) +{ + MirrorState *s = FILTER_MIRROR(nf); + + if (s->chr_out) { + qemu_chr_fe_release(s->chr_out); + } +} + +static void filter_mirror_setup(NetFilterState *nf, Error **errp) +{ + MirrorState *s = FILTER_MIRROR(nf); + + if (!s->outdev) { + error_setg(errp, "filter filter mirror needs 'outdev' " + "property set"); + return; + } + + s->chr_out = qemu_chr_find(s->outdev); + if (s->chr_out == NULL) { + error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND, + "Device '%s' not found", s->outdev); + return; + } + + if (qemu_chr_fe_claim(s->chr_out) != 0) { + error_setg(errp, QERR_DEVICE_IN_USE, s->outdev); + return; + } +} + +static void filter_mirror_class_init(ObjectClass *oc, void *data) +{ + NetFilterClass *nfc = NETFILTER_CLASS(oc); + + nfc->setup = filter_mirror_setup; + nfc->cleanup = filter_mirror_cleanup; + nfc->receive_iov = filter_mirror_receive_iov; +} + +static char *filter_mirror_get_outdev(Object *obj, Error **errp) +{ + MirrorState *s = FILTER_MIRROR(obj); + + return g_strdup(s->outdev); +} + +static void +filter_mirror_set_outdev(Object *obj, const char *value, Error **errp) +{ + MirrorState *s = FILTER_MIRROR(obj); + + g_free(s->outdev); + s->outdev = g_strdup(value); + if (!s->outdev) { + error_setg(errp, "filter filter mirror needs 'outdev' " + "property set"); + return; + } +} + +static void filter_mirror_init(Object *obj) +{ + object_property_add_str(obj, "outdev", filter_mirror_get_outdev, + filter_mirror_set_outdev, NULL); +} + +static void filter_mirror_fini(Object *obj) +{ + MirrorState *s = FILTER_MIRROR(obj); + + g_free(s->outdev); +} + +static const TypeInfo filter_mirror_info = { + .name = TYPE_FILTER_MIRROR, + .parent = TYPE_NETFILTER, + .class_init = filter_mirror_class_init, + .instance_init = filter_mirror_init, + .instance_finalize = filter_mirror_fini, + .instance_size = sizeof(MirrorState), +}; + +static void register_types(void) +{ + type_register_static(&filter_mirror_info); +} + +type_init(register_types); diff --git a/qemu-options.hx b/qemu-options.hx index d70d0703ac..65e0391bde 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3841,6 +3841,11 @@ queue @var{all|rx|tx} is an option that can be applied to any netfilter. @option{tx}: the filter is attached to the transmit queue of the netdev, where it will receive packets sent by the netdev. +@item -object filter-mirror,id=@var{id},netdev=@var{netdevid},outdev=@var{chardevid}[,queue=@var{all|rx|tx}] + +filter-mirror on netdev @var{netdevid},mirror net packet to chardev +@var{chardevid} + @item -object filter-dump,id=@var{id},netdev=@var{dev},file=@var{filename}][,maxlen=@var{len}] Dump the network traffic on netdev @var{dev} to the file specified by diff --git a/vl.c b/vl.c index 6cb5e40d6f..8cd1d0c11f 100644 --- a/vl.c +++ b/vl.c @@ -2841,7 +2841,8 @@ static bool object_create_initial(const char *type) * they depend on netdevs already existing */ if (g_str_equal(type, "filter-buffer") || - g_str_equal(type, "filter-dump")) { + g_str_equal(type, "filter-dump") || + g_str_equal(type, "filter-mirror")) { return false; } From 06809ecf7312c8653964de661f932a0ed7cd0076 Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Tue, 15 Mar 2016 15:41:34 +0800 Subject: [PATCH 2/7] tests/test-filter-mirror:add filter-mirror unit test In this unit test we will test the mirror function. start qemu with: -netdev socket,id=qtest-bn0,fd=sockfd -device e1000,netdev=qtest-bn0,id=qtest-e0 -chardev socket,id=mirror0,path=/tmp/filter-mirror-test.sock,server,nowait -object filter-mirror,id=qtest-f0,netdev=qtest-bn0,queue=tx,outdev=mirror0 We inject packet to netdev socket id = qtest-bn0, filter-mirror will copy and mirror the packet to mirror0. we read packet from mirror0 and then compare to what we injected. Signed-off-by: Zhang Chen Signed-off-by: Wen Congyang Signed-off-by: Jason Wang --- tests/.gitignore | 1 + tests/Makefile | 2 + tests/test-filter-mirror.c | 93 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 96 insertions(+) create mode 100644 tests/test-filter-mirror.c diff --git a/tests/.gitignore b/tests/.gitignore index 5f30cbea07..7bb4c736ea 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -68,5 +68,6 @@ test-write-threshold test-x86-cpuid test-xbzrle test-netfilter +test-filter-mirror *-test qapi-schema/*.test.* diff --git a/tests/Makefile b/tests/Makefile index ab185d8647..c47fecccb1 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -220,6 +220,7 @@ ifeq ($(CONFIG_VHOST_NET_TEST_i386),) check-qtest-x86_64-$(CONFIG_VHOST_NET_TEST_x86_64) += tests/vhost-user-test$(EXESUF) endif check-qtest-i386-y += tests/test-netfilter$(EXESUF) +check-qtest-i386-y += tests/test-filter-mirror$(EXESUF) check-qtest-x86_64-y = $(check-qtest-i386-y) gcov-files-i386-y += i386-softmmu/hw/timer/mc146818rtc.c gcov-files-x86_64-y = $(subst i386-softmmu/,x86_64-softmmu/,$(gcov-files-i386-y)) @@ -580,6 +581,7 @@ tests/qemu-iotests/socket_scm_helper$(EXESUF): tests/qemu-iotests/socket_scm_hel tests/test-qemu-opts$(EXESUF): tests/test-qemu-opts.o $(test-util-obj-y) tests/test-write-threshold$(EXESUF): tests/test-write-threshold.o $(test-block-obj-y) tests/test-netfilter$(EXESUF): tests/test-netfilter.o $(qtest-obj-y) +tests/test-filter-mirror$(EXESUF): tests/test-filter-mirror.o $(qtest-obj-y) tests/ivshmem-test$(EXESUF): tests/ivshmem-test.o contrib/ivshmem-server/ivshmem-server.o $(libqos-pc-obj-y) tests/vhost-user-bridge$(EXESUF): tests/vhost-user-bridge.o diff --git a/tests/test-filter-mirror.c b/tests/test-filter-mirror.c new file mode 100644 index 0000000000..f60bf2adbe --- /dev/null +++ b/tests/test-filter-mirror.c @@ -0,0 +1,93 @@ +/* + * QTest testcase for filter-mirror + * + * Copyright (c) 2016 FUJITSU LIMITED + * Author: Zhang Chen + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include +#include "libqtest.h" +#include "qemu/iov.h" +#include "qemu/sockets.h" +#include "qemu/error-report.h" +#include "qemu/main-loop.h" + +static void test_mirror(void) +{ +#ifndef _WIN32 +/* socketpair(PF_UNIX) which does not exist on windows */ + + int send_sock[2], recv_sock; + char *cmdline; + uint32_t ret = 0, len = 0; + char send_buf[] = "Hello! filter-mirror~"; + char sock_path[] = "filter-mirror.XXXXXX"; + char *recv_buf; + uint32_t size = sizeof(send_buf); + size = htonl(size); + + ret = socketpair(PF_UNIX, SOCK_STREAM, 0, send_sock); + g_assert_cmpint(ret, !=, -1); + + ret = mkstemp(sock_path); + g_assert_cmpint(ret, !=, -1); + + cmdline = g_strdup_printf("-netdev socket,id=qtest-bn0,fd=%d " + "-device e1000,netdev=qtest-bn0,id=qtest-e0 " + "-chardev socket,id=mirror0,path=%s,server,nowait " + "-object filter-mirror,id=qtest-f0,netdev=qtest-bn0,queue=tx,outdev=mirror0 " + , send_sock[1], sock_path); + qtest_start(cmdline); + g_free(cmdline); + + recv_sock = unix_connect(sock_path, NULL); + g_assert_cmpint(recv_sock, !=, -1); + + struct iovec iov[] = { + { + .iov_base = &size, + .iov_len = sizeof(size), + }, { + .iov_base = send_buf, + .iov_len = sizeof(send_buf), + }, + }; + + /* send a qmp command to guarantee that 'connected' is setting to true. */ + qmp("{ 'execute' : 'query-status'}"); + ret = iov_send(send_sock[0], iov, 2, 0, sizeof(size) + sizeof(send_buf)); + g_assert_cmpint(ret, ==, sizeof(send_buf) + sizeof(size)); + close(send_sock[0]); + + ret = qemu_recv(recv_sock, &len, sizeof(len), 0); + g_assert_cmpint(ret, ==, sizeof(len)); + len = ntohl(len); + + g_assert_cmpint(len, ==, sizeof(send_buf)); + recv_buf = g_malloc(len); + ret = qemu_recv(recv_sock, recv_buf, len, 0); + g_assert_cmpstr(recv_buf, ==, send_buf); + + g_free(recv_buf); + close(recv_sock); + unlink(sock_path); + +#endif +} + +int main(int argc, char **argv) +{ + int ret; + + g_test_init(&argc, &argv, NULL); + + qtest_add_func("/netfilter/mirror", test_mirror); + ret = g_test_run(); + qtest_end(); + + return ret; +} From ba8940dd8691f16c0180241dab0d1c0da35a71e3 Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Tue, 15 Mar 2016 18:02:51 +0800 Subject: [PATCH 3/7] net/filter-mirror: Change filter_mirror_send interface Change filter_mirror_send interface to make it easier to used by other filter Signed-off-by: Zhang Chen Signed-off-by: Wen Congyang Signed-off-by: Li Zhijian Signed-off-by: Jason Wang --- net/filter-mirror.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/filter-mirror.c b/net/filter-mirror.c index 37bfe80392..78969e8026 100644 --- a/net/filter-mirror.c +++ b/net/filter-mirror.c @@ -35,11 +35,10 @@ typedef struct MirrorState { CharDriverState *chr_out; } MirrorState; -static int filter_mirror_send(NetFilterState *nf, +static int filter_mirror_send(CharDriverState *chr_out, const struct iovec *iov, int iovcnt) { - MirrorState *s = FILTER_MIRROR(nf); int ret = 0; ssize_t size = 0; uint32_t len = 0; @@ -51,14 +50,14 @@ static int filter_mirror_send(NetFilterState *nf, } len = htonl(size); - ret = qemu_chr_fe_write_all(s->chr_out, (uint8_t *)&len, sizeof(len)); + ret = qemu_chr_fe_write_all(chr_out, (uint8_t *)&len, sizeof(len)); if (ret != sizeof(len)) { goto err; } buf = g_malloc(size); iov_to_buf(iov, iovcnt, 0, buf, size); - ret = qemu_chr_fe_write_all(s->chr_out, (uint8_t *)buf, size); + ret = qemu_chr_fe_write_all(chr_out, (uint8_t *)buf, size); g_free(buf); if (ret != size) { goto err; @@ -77,9 +76,10 @@ static ssize_t filter_mirror_receive_iov(NetFilterState *nf, int iovcnt, NetPacketSent *sent_cb) { + MirrorState *s = FILTER_MIRROR(nf); int ret; - ret = filter_mirror_send(nf, iov, iovcnt); + ret = filter_mirror_send(s->chr_out, iov, iovcnt); if (ret) { error_report("filter_mirror_send failed(%s)", strerror(-ret)); } From d46f75b2e95b664cd7ec9007daca933131b1de46 Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Thu, 17 Mar 2016 16:16:26 +0800 Subject: [PATCH 4/7] net/filter-mirror: implement filter-redirector Filter-redirector is a netfilter plugin. It gives qemu the ability to redirect net packet. redirector can redirect filter's net packet to outdev. and redirect indev's packet to filter. filter + redirector | +--------------+ | | | indev +-----------+ +----------> outdev | | | +--------------+ | v filter usage: -netdev user,id=hn0 -chardev socket,id=s0,host=ip_primary,port=X,server,nowait -chardev socket,id=s1,host=ip_primary,port=Y,server,nowait -filter-redirector,id=r0,netdev=hn0,queue=tx/rx/all,indev=s0,outdev=s1 Signed-off-by: Zhang Chen Signed-off-by: Wen Congyang Signed-off-by: Li Zhijian Signed-off-by: Jason Wang --- net/filter-mirror.c | 248 +++++++++++++++++++++++++++++++++++++++++++- qemu-options.hx | 9 ++ vl.c | 3 +- 3 files changed, 257 insertions(+), 3 deletions(-) diff --git a/net/filter-mirror.c b/net/filter-mirror.c index 78969e8026..c0c4dc60b6 100644 --- a/net/filter-mirror.c +++ b/net/filter-mirror.c @@ -27,12 +27,23 @@ #define FILTER_MIRROR(obj) \ OBJECT_CHECK(MirrorState, (obj), TYPE_FILTER_MIRROR) +#define FILTER_REDIRECTOR(obj) \ + OBJECT_CHECK(MirrorState, (obj), TYPE_FILTER_REDIRECTOR) + #define TYPE_FILTER_MIRROR "filter-mirror" +#define TYPE_FILTER_REDIRECTOR "filter-redirector" +#define REDIRECTOR_MAX_LEN NET_BUFSIZE typedef struct MirrorState { NetFilterState parent_obj; + char *indev; char *outdev; + CharDriverState *chr_in; CharDriverState *chr_out; + int state; /* 0 = getting length, 1 = getting data */ + unsigned int index; + unsigned int packet_len; + uint8_t buf[REDIRECTOR_MAX_LEN]; } MirrorState; static int filter_mirror_send(CharDriverState *chr_out, @@ -69,6 +80,96 @@ err: return ret < 0 ? ret : -EIO; } +static void +redirector_to_filter(NetFilterState *nf, const uint8_t *buf, int len) +{ + struct iovec iov = { + .iov_base = (void *)buf, + .iov_len = len, + }; + + if (nf->direction == NET_FILTER_DIRECTION_ALL || + nf->direction == NET_FILTER_DIRECTION_TX) { + qemu_netfilter_pass_to_next(nf->netdev, 0, &iov, 1, nf); + } + + if (nf->direction == NET_FILTER_DIRECTION_ALL || + nf->direction == NET_FILTER_DIRECTION_RX) { + qemu_netfilter_pass_to_next(nf->netdev->peer, 0, &iov, 1, nf); + } +} + +static int redirector_chr_can_read(void *opaque) +{ + return REDIRECTOR_MAX_LEN; +} + +static void redirector_chr_read(void *opaque, const uint8_t *buf, int size) +{ + NetFilterState *nf = opaque; + MirrorState *s = FILTER_REDIRECTOR(nf); + unsigned int l; + + while (size > 0) { + /* reassemble a packet from the network */ + switch (s->state) { /* 0 = getting length, 1 = getting data */ + case 0: + l = 4 - s->index; + if (l > size) { + l = size; + } + memcpy(s->buf + s->index, buf, l); + buf += l; + size -= l; + s->index += l; + if (s->index == 4) { + /* got length */ + s->packet_len = ntohl(*(uint32_t *)s->buf); + s->index = 0; + s->state = 1; + } + break; + case 1: + l = s->packet_len - s->index; + if (l > size) { + l = size; + } + if (s->index + l <= sizeof(s->buf)) { + memcpy(s->buf + s->index, buf, l); + } else { + error_report("serious error: oversized packet received."); + s->index = s->state = 0; + qemu_chr_add_handlers(s->chr_in, NULL, NULL, NULL, NULL); + return; + } + + s->index += l; + buf += l; + size -= l; + if (s->index >= s->packet_len) { + s->index = 0; + s->state = 0; + redirector_to_filter(nf, s->buf, s->packet_len); + } + break; + } + } +} + +static void redirector_chr_event(void *opaque, int event) +{ + NetFilterState *nf = opaque; + MirrorState *s = FILTER_REDIRECTOR(nf); + + switch (event) { + case CHR_EVENT_CLOSED: + qemu_chr_add_handlers(s->chr_in, NULL, NULL, NULL, NULL); + break; + default: + break; + } +} + static ssize_t filter_mirror_receive_iov(NetFilterState *nf, NetClientState *sender, unsigned flags, @@ -91,6 +192,27 @@ static ssize_t filter_mirror_receive_iov(NetFilterState *nf, return 0; } +static ssize_t filter_redirector_receive_iov(NetFilterState *nf, + NetClientState *sender, + unsigned flags, + const struct iovec *iov, + int iovcnt, + NetPacketSent *sent_cb) +{ + MirrorState *s = FILTER_REDIRECTOR(nf); + int ret; + + if (s->chr_out) { + ret = filter_mirror_send(s->chr_out, iov, iovcnt); + if (ret) { + error_report("filter_mirror_send failed(%s)", strerror(-ret)); + } + return iov_size(iov, iovcnt); + } else { + return 0; + } +} + static void filter_mirror_cleanup(NetFilterState *nf) { MirrorState *s = FILTER_MIRROR(nf); @@ -100,13 +222,26 @@ static void filter_mirror_cleanup(NetFilterState *nf) } } +static void filter_redirector_cleanup(NetFilterState *nf) +{ + MirrorState *s = FILTER_REDIRECTOR(nf); + + if (s->chr_in) { + qemu_chr_add_handlers(s->chr_in, NULL, NULL, NULL, NULL); + qemu_chr_fe_release(s->chr_in); + } + if (s->chr_out) { + qemu_chr_fe_release(s->chr_out); + } +} + static void filter_mirror_setup(NetFilterState *nf, Error **errp) { MirrorState *s = FILTER_MIRROR(nf); if (!s->outdev) { error_setg(errp, "filter filter mirror needs 'outdev' " - "property set"); + "property set"); return; } @@ -123,6 +258,48 @@ static void filter_mirror_setup(NetFilterState *nf, Error **errp) } } +static void filter_redirector_setup(NetFilterState *nf, Error **errp) +{ + MirrorState *s = FILTER_REDIRECTOR(nf); + + if (!s->indev && !s->outdev) { + error_setg(errp, "filter redirector needs 'indev' or " + "'outdev' at least one property set"); + return; + } else if (s->indev && s->outdev) { + if (!strcmp(s->indev, s->outdev)) { + error_setg(errp, "'indev' and 'outdev' could not be same " + "for filter redirector"); + return; + } + } + + s->state = s->index = 0; + + if (s->indev) { + s->chr_in = qemu_chr_find(s->indev); + if (s->chr_in == NULL) { + error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND, + "IN Device '%s' not found", s->indev); + return; + } + + qemu_chr_fe_claim_no_fail(s->chr_in); + qemu_chr_add_handlers(s->chr_in, redirector_chr_can_read, + redirector_chr_read, redirector_chr_event, nf); + } + + if (s->outdev) { + s->chr_out = qemu_chr_find(s->outdev); + if (s->chr_out == NULL) { + error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND, + "OUT Device '%s' not found", s->outdev); + return; + } + qemu_chr_fe_claim_no_fail(s->chr_out); + } +} + static void filter_mirror_class_init(ObjectClass *oc, void *data) { NetFilterClass *nfc = NETFILTER_CLASS(oc); @@ -132,6 +309,31 @@ static void filter_mirror_class_init(ObjectClass *oc, void *data) nfc->receive_iov = filter_mirror_receive_iov; } +static void filter_redirector_class_init(ObjectClass *oc, void *data) +{ + NetFilterClass *nfc = NETFILTER_CLASS(oc); + + nfc->setup = filter_redirector_setup; + nfc->cleanup = filter_redirector_cleanup; + nfc->receive_iov = filter_redirector_receive_iov; +} + +static char *filter_redirector_get_indev(Object *obj, Error **errp) +{ + MirrorState *s = FILTER_REDIRECTOR(obj); + + return g_strdup(s->indev); +} + +static void +filter_redirector_set_indev(Object *obj, const char *value, Error **errp) +{ + MirrorState *s = FILTER_REDIRECTOR(obj); + + g_free(s->indev); + s->indev = g_strdup(value); +} + static char *filter_mirror_get_outdev(Object *obj, Error **errp) { MirrorState *s = FILTER_MIRROR(obj); @@ -148,17 +350,41 @@ filter_mirror_set_outdev(Object *obj, const char *value, Error **errp) s->outdev = g_strdup(value); if (!s->outdev) { error_setg(errp, "filter filter mirror needs 'outdev' " - "property set"); + "property set"); return; } } +static char *filter_redirector_get_outdev(Object *obj, Error **errp) +{ + MirrorState *s = FILTER_REDIRECTOR(obj); + + return g_strdup(s->outdev); +} + +static void +filter_redirector_set_outdev(Object *obj, const char *value, Error **errp) +{ + MirrorState *s = FILTER_REDIRECTOR(obj); + + g_free(s->outdev); + s->outdev = g_strdup(value); +} + static void filter_mirror_init(Object *obj) { object_property_add_str(obj, "outdev", filter_mirror_get_outdev, filter_mirror_set_outdev, NULL); } +static void filter_redirector_init(Object *obj) +{ + object_property_add_str(obj, "indev", filter_redirector_get_indev, + filter_redirector_set_indev, NULL); + object_property_add_str(obj, "outdev", filter_redirector_get_outdev, + filter_redirector_set_outdev, NULL); +} + static void filter_mirror_fini(Object *obj) { MirrorState *s = FILTER_MIRROR(obj); @@ -166,6 +392,23 @@ static void filter_mirror_fini(Object *obj) g_free(s->outdev); } +static void filter_redirector_fini(Object *obj) +{ + MirrorState *s = FILTER_REDIRECTOR(obj); + + g_free(s->indev); + g_free(s->outdev); +} + +static const TypeInfo filter_redirector_info = { + .name = TYPE_FILTER_REDIRECTOR, + .parent = TYPE_NETFILTER, + .class_init = filter_redirector_class_init, + .instance_init = filter_redirector_init, + .instance_finalize = filter_redirector_fini, + .instance_size = sizeof(MirrorState), +}; + static const TypeInfo filter_mirror_info = { .name = TYPE_FILTER_MIRROR, .parent = TYPE_NETFILTER, @@ -178,6 +421,7 @@ static const TypeInfo filter_mirror_info = { static void register_types(void) { type_register_static(&filter_mirror_info); + type_register_static(&filter_redirector_info); } type_init(register_types); diff --git a/qemu-options.hx b/qemu-options.hx index 65e0391bde..a770086f44 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3846,6 +3846,15 @@ queue @var{all|rx|tx} is an option that can be applied to any netfilter. filter-mirror on netdev @var{netdevid},mirror net packet to chardev @var{chardevid} +@item -object filter-redirector,id=@var{id},netdev=@var{netdevid},indev=@var{chardevid}, +outdev=@var{chardevid}[,queue=@var{all|rx|tx}] + +filter-redirector on netdev @var{netdevid},redirect filter's net packet to chardev +@var{chardevid},and redirect indev's packet to filter. +Create a filter-redirector we need to differ outdev id from indev id, id can not +be the same. we can just use indev or outdev, but at least one of indev or outdev +need to be specified. + @item -object filter-dump,id=@var{id},netdev=@var{dev},file=@var{filename}][,maxlen=@var{len}] Dump the network traffic on netdev @var{dev} to the file specified by diff --git a/vl.c b/vl.c index 8cd1d0c11f..bd81ea954c 100644 --- a/vl.c +++ b/vl.c @@ -2842,7 +2842,8 @@ static bool object_create_initial(const char *type) */ if (g_str_equal(type, "filter-buffer") || g_str_equal(type, "filter-dump") || - g_str_equal(type, "filter-mirror")) { + g_str_equal(type, "filter-mirror") || + g_str_equal(type, "filter-redirector")) { return false; } From 9fd3c5d556b21e0020d98d4695c84a655aa056f0 Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Thu, 17 Mar 2016 16:16:27 +0800 Subject: [PATCH 5/7] tests/test-filter-redirector: Add unit test for filter-redirector In this unit test,we will test the filter redirector function. Case 1, tx traffic flow: qemu side | test side | +---------+ | +-------+ | backend <---------------+ sock0 | +----+----+ | +-------+ | | +----v----+ +-------+ | | rd0 +->+chardev| | +---------+ +---+---+ | | | +---------+ | | | rd1 <------+ | +----+----+ | | | +----v----+ | +-------+ | rd2 +--------------->sock1 | +---------+ | +-------+ + a. we(sock0) inject packet to qemu socket backend b. backend pass packet to filter redirector0(rd0) c. rd0 redirect packet to out_dev(chardev) which is connected with filter redirector1's(rd1) in_dev d. rd1 read this packet from in_dev, and pass to next filter redirector2(rd2) e. rd2 redirect packet to rd2's out_dev which is connected with an opened socketed(sock1) f. we read packet from sock1 and compare to what we inject Start qemu with: "-netdev socket,id=qtest-bn0,fd=%d " "-device rtl8139,netdev=qtest-bn0,id=qtest-e0 " "-chardev socket,id=redirector0,path=%s,server,nowait " "-chardev socket,id=redirector1,path=%s,server,nowait " "-chardev socket,id=redirector2,path=%s,nowait " "-object filter-redirector,id=qtest-f0,netdev=qtest-bn0," "queue=tx,outdev=redirector0 " "-object filter-redirector,id=qtest-f1,netdev=qtest-bn0," "queue=tx,indev=redirector2 " "-object filter-redirector,id=qtest-f2,netdev=qtest-bn0," "queue=tx,outdev=redirector1 " -------------------------------------- Case 2, rx traffic flow qemu side | test side | +---------+ | +-------+ | backend +---------------> sock1 | +----^----+ | +-------+ | | +----+----+ +-------+ | | rd0 +<-+chardev| | +---------+ +---+---+ | ^ | +---------+ | | | rd1 +------+ | +----^----+ | | | +----+----+ | +-------+ | rd2 <---------------+sock0 | +---------+ | +-------+ a. we(sock0) insert packet to filter redirector2(rd2) b. rd2 pass packet to filter redirector1(rd1) c. rd1 redirect packet to out_dev(chardev) which is connected with filter redirector0's(rd0) in_dev d. rd0 read this packet from in_dev, and pass ti to qemu backend which is connected with an opened socketed(sock1) e. we read packet from sock1 and compare to what we inject Start qemu with: "-netdev socket,id=qtest-bn0,fd=%d " "-device rtl8139,netdev=qtest-bn0,id=qtest-e0 " "-chardev socket,id=redirector0,path=%s,server,nowait " "-chardev socket,id=redirector1,path=%s,server,nowait " "-chardev socket,id=redirector2,path=%s,nowait " "-object filter-redirector,id=qtest-f0,netdev=qtest-bn0," "queue=rx,outdev=redirector0 " "-object filter-redirector,id=qtest-f1,netdev=qtest-bn0," "queue=rx,indev=redirector2 " "-object filter-redirector,id=qtest-f2,netdev=qtest-bn0," "queue=rx,outdev=redirector1 " Signed-off-by: Zhang Chen Signed-off-by: Wen Congyang Signed-off-by: Li Zhijian Signed-off-by: Jason Wang --- tests/.gitignore | 1 + tests/Makefile | 2 + tests/test-filter-redirector.c | 221 +++++++++++++++++++++++++++++++++ 3 files changed, 224 insertions(+) create mode 100644 tests/test-filter-redirector.c diff --git a/tests/.gitignore b/tests/.gitignore index 7bb4c736ea..b7bf13ed27 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -69,5 +69,6 @@ test-x86-cpuid test-xbzrle test-netfilter test-filter-mirror +test-filter-redirector *-test qapi-schema/*.test.* diff --git a/tests/Makefile b/tests/Makefile index c47fecccb1..45b9048754 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -221,6 +221,7 @@ check-qtest-x86_64-$(CONFIG_VHOST_NET_TEST_x86_64) += tests/vhost-user-test$(EXE endif check-qtest-i386-y += tests/test-netfilter$(EXESUF) check-qtest-i386-y += tests/test-filter-mirror$(EXESUF) +check-qtest-i386-y += tests/test-filter-redirector$(EXESUF) check-qtest-x86_64-y = $(check-qtest-i386-y) gcov-files-i386-y += i386-softmmu/hw/timer/mc146818rtc.c gcov-files-x86_64-y = $(subst i386-softmmu/,x86_64-softmmu/,$(gcov-files-i386-y)) @@ -582,6 +583,7 @@ tests/test-qemu-opts$(EXESUF): tests/test-qemu-opts.o $(test-util-obj-y) tests/test-write-threshold$(EXESUF): tests/test-write-threshold.o $(test-block-obj-y) tests/test-netfilter$(EXESUF): tests/test-netfilter.o $(qtest-obj-y) tests/test-filter-mirror$(EXESUF): tests/test-filter-mirror.o $(qtest-obj-y) +tests/test-filter-redirector$(EXESUF): tests/test-filter-redirector.o $(qtest-obj-y) tests/ivshmem-test$(EXESUF): tests/ivshmem-test.o contrib/ivshmem-server/ivshmem-server.o $(libqos-pc-obj-y) tests/vhost-user-bridge$(EXESUF): tests/vhost-user-bridge.o diff --git a/tests/test-filter-redirector.c b/tests/test-filter-redirector.c new file mode 100644 index 0000000000..b93012ceae --- /dev/null +++ b/tests/test-filter-redirector.c @@ -0,0 +1,221 @@ +/* + * QTest testcase for filter-redirector + * + * Copyright (c) 2016 FUJITSU LIMITED + * Author: Zhang Chen + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + * + * Case 1, tx traffic flow: + * + * qemu side | test side + * | + * +---------+ | +-------+ + * | backend <---------------+ sock0 | + * +----+----+ | +-------+ + * | | + * +----v----+ +-------+ | + * | rd0 +->+chardev| | + * +---------+ +---+---+ | + * | | + * +---------+ | | + * | rd1 <------+ | + * +----+----+ | + * | | + * +----v----+ | +-------+ + * | rd2 +--------------->sock1 | + * +---------+ | +-------+ + * + + * + * -------------------------------------- + * Case 2, rx traffic flow + * qemu side | test side + * | + * +---------+ | +-------+ + * | backend +---------------> sock1 | + * +----^----+ | +-------+ + * | | + * +----+----+ +-------+ | + * | rd0 +<-+chardev| | + * +---------+ +---+---+ | + * ^ | + * +---------+ | | + * | rd1 +------+ | + * +----^----+ | + * | | + * +----+----+ | +-------+ + * | rd2 <---------------+sock0 | + * +---------+ | +-------+ + * + + */ + +#include "qemu/osdep.h" +#include +#include "libqtest.h" +#include "qemu/iov.h" +#include "qemu/sockets.h" +#include "qemu/error-report.h" +#include "qemu/main-loop.h" + +static void test_redirector_tx(void) +{ +#ifndef _WIN32 +/* socketpair(PF_UNIX) which does not exist on windows */ + + int backend_sock[2], recv_sock; + char *cmdline; + uint32_t ret = 0, len = 0; + char send_buf[] = "Hello!!"; + char sock_path0[] = "filter-redirector0.XXXXXX"; + char sock_path1[] = "filter-redirector1.XXXXXX"; + char *recv_buf; + uint32_t size = sizeof(send_buf); + size = htonl(size); + + ret = socketpair(PF_UNIX, SOCK_STREAM, 0, backend_sock); + g_assert_cmpint(ret, !=, -1); + + ret = mkstemp(sock_path0); + g_assert_cmpint(ret, !=, -1); + ret = mkstemp(sock_path1); + g_assert_cmpint(ret, !=, -1); + + cmdline = g_strdup_printf("-netdev socket,id=qtest-bn0,fd=%d " + "-device rtl8139,netdev=qtest-bn0,id=qtest-e0 " + "-chardev socket,id=redirector0,path=%s,server,nowait " + "-chardev socket,id=redirector1,path=%s,server,nowait " + "-chardev socket,id=redirector2,path=%s,nowait " + "-object filter-redirector,id=qtest-f0,netdev=qtest-bn0," + "queue=tx,outdev=redirector0 " + "-object filter-redirector,id=qtest-f1,netdev=qtest-bn0," + "queue=tx,indev=redirector2 " + "-object filter-redirector,id=qtest-f2,netdev=qtest-bn0," + "queue=tx,outdev=redirector1 " + , backend_sock[1], sock_path0, sock_path1, sock_path0); + qtest_start(cmdline); + g_free(cmdline); + + recv_sock = unix_connect(sock_path1, NULL); + g_assert_cmpint(recv_sock, !=, -1); + + /* send a qmp command to guarantee that 'connected' is setting to true. */ + qmp("{ 'execute' : 'query-status'}"); + + struct iovec iov[] = { + { + .iov_base = &size, + .iov_len = sizeof(size), + }, { + .iov_base = send_buf, + .iov_len = sizeof(send_buf), + }, + }; + + ret = iov_send(backend_sock[0], iov, 2, 0, sizeof(size) + sizeof(send_buf)); + g_assert_cmpint(ret, ==, sizeof(send_buf) + sizeof(size)); + close(backend_sock[0]); + + ret = qemu_recv(recv_sock, &len, sizeof(len), 0); + g_assert_cmpint(ret, ==, sizeof(len)); + len = ntohl(len); + + g_assert_cmpint(len, ==, sizeof(send_buf)); + recv_buf = g_malloc(len); + ret = qemu_recv(recv_sock, recv_buf, len, 0); + g_assert_cmpstr(recv_buf, ==, send_buf); + + g_free(recv_buf); + close(recv_sock); + unlink(sock_path0); + unlink(sock_path1); + qtest_end(); + +#endif +} + +static void test_redirector_rx(void) +{ +#ifndef _WIN32 +/* socketpair(PF_UNIX) which does not exist on windows */ + + int backend_sock[2], send_sock; + char *cmdline; + uint32_t ret = 0, len = 0; + char send_buf[] = "Hello!!"; + char sock_path0[] = "filter-redirector0.XXXXXX"; + char sock_path1[] = "filter-redirector1.XXXXXX"; + char *recv_buf; + uint32_t size = sizeof(send_buf); + size = htonl(size); + + ret = socketpair(PF_UNIX, SOCK_STREAM, 0, backend_sock); + g_assert_cmpint(ret, !=, -1); + + ret = mkstemp(sock_path0); + g_assert_cmpint(ret, !=, -1); + ret = mkstemp(sock_path1); + g_assert_cmpint(ret, !=, -1); + + cmdline = g_strdup_printf("-netdev socket,id=qtest-bn0,fd=%d " + "-device rtl8139,netdev=qtest-bn0,id=qtest-e0 " + "-chardev socket,id=redirector0,path=%s,server,nowait " + "-chardev socket,id=redirector1,path=%s,server,nowait " + "-chardev socket,id=redirector2,path=%s,nowait " + "-object filter-redirector,id=qtest-f0,netdev=qtest-bn0," + "queue=rx,indev=redirector0 " + "-object filter-redirector,id=qtest-f1,netdev=qtest-bn0," + "queue=rx,outdev=redirector2 " + "-object filter-redirector,id=qtest-f2,netdev=qtest-bn0," + "queue=rx,indev=redirector1 " + , backend_sock[1], sock_path0, sock_path1, sock_path0); + qtest_start(cmdline); + g_free(cmdline); + + struct iovec iov[] = { + { + .iov_base = &size, + .iov_len = sizeof(size), + }, { + .iov_base = send_buf, + .iov_len = sizeof(send_buf), + }, + }; + + send_sock = unix_connect(sock_path1, NULL); + g_assert_cmpint(send_sock, !=, -1); + /* send a qmp command to guarantee that 'connected' is setting to true. */ + qmp("{ 'execute' : 'query-status'}"); + + ret = iov_send(send_sock, iov, 2, 0, sizeof(size) + sizeof(send_buf)); + g_assert_cmpint(ret, ==, sizeof(send_buf) + sizeof(size)); + close(send_sock); + + ret = qemu_recv(backend_sock[0], &len, sizeof(len), 0); + g_assert_cmpint(ret, ==, sizeof(len)); + len = ntohl(len); + + g_assert_cmpint(len, ==, sizeof(send_buf)); + recv_buf = g_malloc(len); + ret = qemu_recv(backend_sock[0], recv_buf, len, 0); + g_assert_cmpstr(recv_buf, ==, send_buf); + + g_free(recv_buf); + unlink(sock_path0); + unlink(sock_path1); + qtest_end(); + +#endif +} + +int main(int argc, char **argv) +{ + int ret; + + g_test_init(&argc, &argv, NULL); + qtest_add_func("/netfilter/redirector_tx", test_redirector_tx); + qtest_add_func("/netfilter/redirector_rx", test_redirector_rx); + ret = g_test_run(); + + return ret; +} From 74004e8ce4306f51f593a99d175a1e1f0453deba Mon Sep 17 00:00:00 2001 From: Sameeh Jubran Date: Thu, 17 Mar 2016 09:37:57 +0200 Subject: [PATCH 6/7] e1000: Fixing interrupts pace. This patch introduces an upper bound for number of interrupts per second. Without this bound an interrupt storm can occur as it has been observed on Windows 10 when disabling the device. According to the SPEC - Intel PCI/PCI-X Family of Gigabit Ethernet Controllers Software Developer's Manual, section 13.4.18 - the Ethernet controller guarantees a maximum observable interrupt rate of 7813 interrupts/sec. If there is no upper bound this could lead to an interrupt storm by e1000 (when mit_delay < 500) causing interrupts to fire at a very high pace. Thus if mit_delay < 500 then the delay should be set to the minimum delay possible which is 500. This can be calculated easily as follows: Interval = 10^9 / (7813 * 256) = 500. Signed-off-by: Sameeh Jubran Signed-off-by: Jason Wang --- hw/net/e1000.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index 0387fa0646..09b9ab5377 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -357,6 +357,14 @@ set_interrupt_cause(E1000State *s, int index, uint32_t val) } mit_update_delay(&mit_delay, s->mac_reg[ITR]); + /* + * According to e1000 SPEC, the Ethernet controller guarantees + * a maximum observable interrupt rate of 7813 interrupts/sec. + * Thus if mit_delay < 500 then the delay should be set to the + * minimum delay possible which is 500. + */ + mit_delay = (mit_delay < 500) ? 500 : mit_delay; + if (mit_delay) { s->mit_timer_on = 1; timer_mod(s->mit_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + From 8e0f7dd25152385711b0224e2d3c65ede0239cd9 Mon Sep 17 00:00:00 2001 From: Sameeh Jubran Date: Thu, 17 Mar 2016 09:37:58 +0200 Subject: [PATCH 7/7] Revert "e1000: fix hang of win2k12 shutdown with flood ping" This reverts commit 9596ef7c7b8528bedb240792ea1fb598543ad3c4. This workaround in order to fix endless interrupts is no longer needed because it was superseded by the previous patch (e1000: Fixing interrupt pace). Signed-off-by: Sameeh Jubran Signed-off-by: Jason Wang --- hw/net/e1000.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index 09b9ab5377..8e79b550e6 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -456,11 +456,6 @@ static void e1000_reset(void *opaque) e1000_link_down(d); } - /* Throttle interrupts to prevent guest (e.g Win 2012) from - * reinjecting interrupts endlessly. TODO: fix non ITR case. - */ - d->mac_reg[ITR] = 250; - /* Some guests expect pre-initialized RAH/RAL (AddrValid flag + MACaddr) */ d->mac_reg[RA] = 0; d->mac_reg[RA + 1] = E1000_RAH_AV;