From 953ae2a7a0188a8bb3b1fa34023f298c44e6d3b7 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Mon, 11 Feb 2013 15:58:34 +0100 Subject: main/libvirt: upgrade to 1.0.2 and update public ip NAT patches --- ...-error-constants-in-libvirt-python-module.patch | 98 +++++ ...1-complete-virterror-virerror-name-change.patch | 40 ++ ...upport-set-public-ip-for-forward-mode-nat.patch | 277 ------------ ...-set-public-ip-range-for-forward-mode-nat.patch | 487 +++++++++++++++++++++ ...or-iptables-command-construction-into-mul.patch | 40 +- ...port-for-specifying-port-range-for-forwar.patch | 379 ++++++++++++++++ main/libvirt/APKBUILD | 78 ++-- ...irt-1.0.0-remove-uclibc-mkostemp-redefine.patch | 14 - 8 files changed, 1070 insertions(+), 343 deletions(-) create mode 100644 main/libvirt/0001-Fix-missing-error-constants-in-libvirt-python-module.patch create mode 100644 main/libvirt/0001-complete-virterror-virerror-name-change.patch delete mode 100644 main/libvirt/0001-net-support-set-public-ip-for-forward-mode-nat.patch create mode 100644 main/libvirt/0001-net-support-set-public-ip-range-for-forward-mode-nat.patch create mode 100644 main/libvirt/0002-net-add-support-for-specifying-port-range-for-forwar.patch delete mode 100644 main/libvirt/libvirt-1.0.0-remove-uclibc-mkostemp-redefine.patch (limited to 'main/libvirt') diff --git a/main/libvirt/0001-Fix-missing-error-constants-in-libvirt-python-module.patch b/main/libvirt/0001-Fix-missing-error-constants-in-libvirt-python-module.patch new file mode 100644 index 000000000..b9afb5103 --- /dev/null +++ b/main/libvirt/0001-Fix-missing-error-constants-in-libvirt-python-module.patch @@ -0,0 +1,98 @@ +From 25ea8e47e74def560bf89cd94dd54b75ca5ff4d6 Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Tue, 5 Feb 2013 12:55:09 +0000 +Subject: [PATCH] Fix missing error constants in libvirt python module + +The previous change to the generator, changed too much - only +the functions are in 'virerror.c', the constants remained in +'virerror.h' which could not be renamed for API compat reasons. + +Add a test case to sanity check the generated python bindings + +Signed-off-by: Daniel P. Berrange +--- + python/Makefile.am | 5 +++++ + python/generator.py | 4 +++- + python/sanitytest.py | 31 +++++++++++++++++++++++++++++++ + 3 files changed, 39 insertions(+), 1 deletion(-) + create mode 100644 python/sanitytest.py + +diff --git a/python/Makefile.am b/python/Makefile.am +index dd69600..ef3c3eb 100644 +--- a/python/Makefile.am ++++ b/python/Makefile.am +@@ -119,6 +119,11 @@ $(libvirtmod_la_OBJECTS): $(GENERATED) + $(libvirtmod_qemu_la_OBJECTS): $(QEMU_GENERATED) + $(libvirtmod_lxc_la_OBJECTS): $(LXC_GENERATED) + ++EXTRA_DIST += sanitytest.py ++ ++check-local: ++ $(AM_V_GEN)PYTHONPATH=$(abs_topbuilddir):$(abs_topbuilddir)/.libs $(PYTHON) $(srcdir)/sanitytest.py ++ + install-data-local: + $(mkinstalldirs) $(DESTDIR)$(pyexecdir) + $(INSTALL) -m 0644 libvirt.py $(DESTDIR)$(pyexecdir) +diff --git a/python/generator.py b/python/generator.py +index 71ca883..ceade6b 100755 +--- a/python/generator.py ++++ b/python/generator.py +@@ -122,8 +122,9 @@ class docParser(xml.sax.handler.ContentHandler): + if attrs.has_key('field'): + self.function_return_field = attrs['field'] + elif tag == 'enum': ++ # enums come from header files, hence virterror.h + if (attrs['file'] == "libvirt" or +- attrs['file'] == "virerror"): ++ attrs['file'] == "virterror"): + enum(attrs['type'],attrs['name'],attrs['value']) + elif attrs['file'] == "libvirt-lxc": + lxc_enum(attrs['type'],attrs['name'],attrs['value']) +@@ -134,6 +135,7 @@ class docParser(xml.sax.handler.ContentHandler): + if debug: + print "end %s" % tag + if tag == 'function': ++ # fuctions come from source files, hence 'virerror.c' + if self.function != None: + if (self.function_module == "libvirt" or + self.function_module == "virevent" or +diff --git a/python/sanitytest.py b/python/sanitytest.py +new file mode 100644 +index 0000000..047450b +--- /dev/null ++++ b/python/sanitytest.py +@@ -0,0 +1,31 @@ ++#!/usr/bin/python ++ ++import libvirt ++ ++globals = dir(libvirt) ++ ++# Sanity test that the generator hasn't gone wrong ++ ++# Look for core classes ++assert("virConnect" in globals) ++assert("virDomain" in globals) ++assert("virDomainSnapshot" in globals) ++assert("virInterface" in globals) ++assert("virNWFilter" in globals) ++assert("virNodeDevice" in globals) ++assert("virNetwork" in globals) ++assert("virSecret" in globals) ++assert("virStoragePool" in globals) ++assert("virStorageVol" in globals) ++assert("virStream" in globals) ++assert("VIR_CONNECT_RO" in globals) ++ ++# Error related bits ++assert("libvirtError" in globals) ++assert("VIR_ERR_AUTH_FAILED" in globals) ++assert("virGetLastError" in globals) ++ ++# Some misc methods ++assert("virInitialize" in globals) ++assert("virEventAddHandle" in globals) ++assert("virEventRegisterDefaultImpl" in globals) +-- +1.7.11.7 + diff --git a/main/libvirt/0001-complete-virterror-virerror-name-change.patch b/main/libvirt/0001-complete-virterror-virerror-name-change.patch new file mode 100644 index 000000000..c16b009df --- /dev/null +++ b/main/libvirt/0001-complete-virterror-virerror-name-change.patch @@ -0,0 +1,40 @@ +From a6b8bae5a6a4752926eba409202ec061d81c6c8a Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Wed, 30 Jan 2013 21:05:45 -0600 +Subject: [PATCH] complete virterror->virerror name change + +Without these two string changes in generator.py, the +virGetLastError wrapper does not get created in +/usr/share/pyshared/libvirt.py. Noticed when running +tests with virt-install. + +Signed-off-by: Serge Hallyn +--- + python/generator.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/python/generator.py b/python/generator.py +index 5d27f66..71ca883 100755 +--- a/python/generator.py ++++ b/python/generator.py +@@ -123,7 +123,7 @@ class docParser(xml.sax.handler.ContentHandler): + self.function_return_field = attrs['field'] + elif tag == 'enum': + if (attrs['file'] == "libvirt" or +- attrs['file'] == "virterror"): ++ attrs['file'] == "virerror"): + enum(attrs['type'],attrs['name'],attrs['value']) + elif attrs['file'] == "libvirt-lxc": + lxc_enum(attrs['type'],attrs['name'],attrs['value']) +@@ -137,7 +137,7 @@ class docParser(xml.sax.handler.ContentHandler): + if self.function != None: + if (self.function_module == "libvirt" or + self.function_module == "virevent" or +- self.function_module == "virterror"): ++ self.function_module == "virerror"): + function(self.function, self.function_descr, + self.function_return, self.function_args, + self.function_file, self.function_module, +-- +1.8.1 + diff --git a/main/libvirt/0001-net-support-set-public-ip-for-forward-mode-nat.patch b/main/libvirt/0001-net-support-set-public-ip-for-forward-mode-nat.patch deleted file mode 100644 index 831466f95..000000000 --- a/main/libvirt/0001-net-support-set-public-ip-for-forward-mode-nat.patch +++ /dev/null @@ -1,277 +0,0 @@ -From da1e7fe01acdaf13b3fb9e3cda53627063014da9 Mon Sep 17 00:00:00 2001 -From: Natanael Copa -Date: Tue, 4 Dec 2012 17:03:51 +0100 -Subject: [PATCH] net: support set public ip for forward mode nat - -Support setting which public ip to use for NAT via attribute -publicaddr. This will construct an iptables line using '-j SNAT ---to-source ' instead of '-j MASQUERADE'. - -Signed-off-by: Natanael Copa ---- - docs/formatnetwork.html.in | 4 +++- - src/conf/network_conf.c | 33 +++++++++++++++++++++++++++++++++ - src/conf/network_conf.h | 1 + - src/network/bridge_driver.c | 24 ++++++++++++++++-------- - src/util/iptables.c | 31 ++++++++++++++++++++++++------- - src/util/iptables.h | 6 ++++-- - 6 files changed, 81 insertions(+), 18 deletions(-) - -diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in -index 49206dd..07f9783 100644 ---- a/docs/formatnetwork.html.in -+++ b/docs/formatnetwork.html.in -@@ -125,7 +125,9 @@ - other network device whether ethernet, wireless, dialup, - or VPN. If the dev attribute is set, the - firewall rules will restrict forwarding to the named -- device only. Inbound connections from other networks are -+ device only. If the publicaddr attribute is set, -+ the given source address will be used with iptables' SNAT -+ target. Inbound connections from other networks are - all prohibited; all connections between guests on the same - network, and to/from the host to the guests, are - unrestricted and not NATed.Since -diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c -index 6ce2e63..36128ac 100644 ---- a/src/conf/network_conf.c -+++ b/src/conf/network_conf.c -@@ -174,6 +174,7 @@ void virNetworkDefFree(virNetworkDefPtr def) - VIR_FREE(def->name); - VIR_FREE(def->bridge); - VIR_FREE(def->domain); -+ VIR_FREE(def->publicaddr); - - for (ii = 0 ; ii < def->nForwardPfs && def->forwardPfs ; ii++) { - virNetworkForwardPfDefClear(&def->forwardPfs[ii]); -@@ -1211,6 +1212,22 @@ error: - return result; - } - -+static int -+virValidPublicaddr(const char *publicaddr) -+{ -+ /* only check for max len and valid chars for now */ -+ const int maxlen = sizeof("123.123.123.123-123.123.123.123:65535-65534")-1; -+ int len = strlen(publicaddr); -+ -+ if (len > maxlen) -+ return 0; -+ -+ if (strspn(publicaddr, "0123456789.-:") < len) -+ return 0; -+ -+ return 1; -+} -+ - static virNetworkDefPtr - virNetworkDefParseXML(xmlXPathContextPtr ctxt) - { -@@ -1387,6 +1404,21 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) - def->managed = 1; - } - -+ def->publicaddr = virXPathString("string(./@publicaddr)", ctxt); -+ if (def->publicaddr != NULL) { -+ char *errstr = NULL; -+ if (def->forwardType != VIR_NETWORK_FORWARD_NAT) { -+ errstr = "Attribute 'publicaddr' is only valid with mode='nat'"; -+ } else if (!virValidPublicaddr(def->publicaddr)) { -+ errstr = "Attribute 'publicaddr' must be in the format: ipaddr[-ipaddr][:port[-port]]"; -+ } -+ -+ if (errstr != NULL) { -+ virReportError(VIR_ERR_XML_ERROR, "%s", _(errstr)); -+ goto error; -+ } -+ } -+ - /* all of these modes can use a pool of physical interfaces */ - nForwardIfs = virXPathNodeSet("./interface", ctxt, &forwardIfNodes); - nForwardPfs = virXPathNodeSet("./pf", ctxt, &forwardPfNodes); -@@ -1861,6 +1893,7 @@ char *virNetworkDefFormat(const virNetworkDefPtr def, unsigned int flags) - } - virBufferAddLit(&buf, "publicaddr); - virBufferAsprintf(&buf, " mode='%s'", mode); - if (def->forwardType == VIR_NETWORK_FORWARD_HOSTDEV) { - if (def->managed == 1) -diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h -index 3e46304..76fb591 100644 ---- a/src/conf/network_conf.h -+++ b/src/conf/network_conf.h -@@ -206,6 +206,7 @@ struct _virNetworkDef { - virPortGroupDefPtr portGroups; - virNetDevBandwidthPtr bandwidth; - virNetDevVlan vlan; -+ char *publicaddr; - }; - - typedef struct _virNetworkObj virNetworkObj; -diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c -index 75f3c3a..04f178b 100644 ---- a/src/network/bridge_driver.c -+++ b/src/network/bridge_driver.c -@@ -1438,7 +1438,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, - &ipdef->address, - prefix, - forwardIf, -- NULL) < 0) { -+ NULL, -+ network->def->publicaddr) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - forwardIf ? - _("failed to add iptables rule to enable masquerading to %s") : -@@ -1452,7 +1453,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, - &ipdef->address, - prefix, - forwardIf, -- "udp") < 0) { -+ "udp", -+ network->def->publicaddr) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - forwardIf ? - _("failed to add iptables rule to enable UDP masquerading to %s") : -@@ -1466,7 +1468,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, - &ipdef->address, - prefix, - forwardIf, -- "tcp") < 0) { -+ "tcp", -+ network->def->publicaddr) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - forwardIf ? - _("failed to add iptables rule to enable TCP masquerading to %s") : -@@ -1482,13 +1485,15 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, - &ipdef->address, - prefix, - forwardIf, -- "udp"); -+ "udp", -+ network->def->publicaddr); - masqerr4: - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, - prefix, - forwardIf, -- NULL); -+ NULL, -+ network->def->publicaddr); - masqerr3: - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, -@@ -1518,17 +1523,20 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver, - &ipdef->address, - prefix, - forwardIf, -- "tcp"); -+ "tcp", -+ network->def->publicaddr); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, - prefix, - forwardIf, -- "udp"); -+ "udp", -+ network->def->publicaddr); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, - prefix, - forwardIf, -- NULL); -+ NULL, -+ network->def->publicaddr); - - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, -diff --git a/src/util/iptables.c b/src/util/iptables.c -index 407ca3a..4a89673 100644 ---- a/src/util/iptables.c -+++ b/src/util/iptables.c -@@ -804,6 +804,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, - unsigned int prefix, - const char *physdev, - const char *protocol, -+ const char *publicaddr, - int action) - { - int ret; -@@ -833,10 +834,24 @@ iptablesForwardMasquerade(iptablesContext *ctx, - if (physdev && physdev[0]) - virCommandAddArgList(cmd, "--out-interface", physdev, NULL); - -- virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL); -+ /* Use --jump SNAT if public addr is specified */ -+ if (publicaddr && publicaddr[0]) { -+ char tmpstr[sizeof("123.123.123.123-123.123.123.123:65535-65535")]; -+ const char *portstr = ""; - -- if (protocol && protocol[0]) -- virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL); -+ memset(tmpstr, 0, sizeof(tmpstr)); -+ if (protocol && protocol[0] && (strchr(publicaddr, ':') == NULL)) -+ portstr = ":1024-65535"; -+ snprintf(tmpstr, sizeof(tmpstr), "%s%s", publicaddr, portstr); -+ -+ virCommandAddArgList(cmd, "--jump", "SNAT", -+ "--to-source", tmpstr, NULL); -+ } else { -+ virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL); -+ -+ if (protocol && protocol[0]) -+ virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL); -+ } - - ret = iptablesCommandRunAndFree(cmd); - VIR_FREE(networkstr); -@@ -861,9 +876,10 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, -- const char *protocol) -+ const char *protocol, -+ const char *publicaddr) - { -- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, ADD); -+ return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, publicaddr, ADD); - } - - /** -@@ -884,9 +900,10 @@ iptablesRemoveForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, -- const char *protocol) -+ const char *protocol, -+ const char *publicaddr) - { -- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, REMOVE); -+ return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, publicaddr, REMOVE); - } - - -diff --git a/src/util/iptables.h b/src/util/iptables.h -index e54f8b1..a9d2772 100644 ---- a/src/util/iptables.h -+++ b/src/util/iptables.h -@@ -105,12 +105,14 @@ int iptablesAddForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, -- const char *protocol); -+ const char *protocol, -+ const char *publicaddr); - int iptablesRemoveForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, -- const char *protocol); -+ const char *protocol, -+ const char *publicaddr); - int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, - const char *iface, - int port); --- -1.8.0.1 - diff --git a/main/libvirt/0001-net-support-set-public-ip-range-for-forward-mode-nat.patch b/main/libvirt/0001-net-support-set-public-ip-range-for-forward-mode-nat.patch new file mode 100644 index 000000000..789bd9bda --- /dev/null +++ b/main/libvirt/0001-net-support-set-public-ip-range-for-forward-mode-nat.patch @@ -0,0 +1,487 @@ +From 18d50f3bc920d70a65e2c3b1f08826db91d8ae2e Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Sun, 3 Feb 2013 12:18:36 +0100 +Subject: [PATCH 1/2] net: support set public ip range for forward mode nat + +Support setting which public ip to use for NAT via attribute +address in subelement in : + +... + +
+ +... + +This will construct an iptables line using: + + '-j SNAT --to-source -' + +instead of: + + '-j MASQUERADE' + +Signed-off-by: Natanael Copa +--- + docs/formatnetwork.html.in | 18 ++++++ + src/conf/network_conf.c | 152 ++++++++++++++++++++++++++++++++++++++++++-- + src/conf/network_conf.h | 3 + + src/network/bridge_driver.c | 16 +++++ + src/util/viriptables.c | 56 +++++++++++++--- + src/util/viriptables.h | 4 ++ + 6 files changed, 235 insertions(+), 14 deletions(-) + +diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in +index 7b42529..5fbd0a9 100644 +--- a/docs/formatnetwork.html.in ++++ b/docs/formatnetwork.html.in +@@ -136,6 +136,24 @@ + network, and to/from the host to the guests, are + unrestricted and not NATed.Since + 0.4.2 ++ ++

Since 1.0.3 it is possible to ++ specify a public IPv4 address range to be used for the NAT by ++ using the <nat> and ++ <address> subelements. ++ 

++...
++  <forward mode='nat'>
++    <nat>
++      <address start='1.2.3.4' end='1.2.3.10'/>
++    </nat>
++  </forward>
++...
++
++ An singe IPv4 address can be set by setting ++ start and end attributes to ++ the same value. ++

+ + +
route
+diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c +index 3604ff7..61d086a 100644 +--- a/src/conf/network_conf.c ++++ b/src/conf/network_conf.c +@@ -1325,6 +1325,80 @@ cleanup: + } + + static int ++virNetworkForwardNatDefParseXML(const char *networkName, ++ xmlNodePtr node, ++ xmlXPathContextPtr ctxt, ++ virNetworkForwardDefPtr def) ++{ ++ int ret = -1; ++ xmlNodePtr *natAddrNodes = NULL; ++ int nNatAddrs; ++ char *addr_start = NULL; ++ char *addr_end = NULL; ++ xmlNodePtr save = ctxt->node; ++ ++ ctxt->node = node; ++ ++ if (def->type != VIR_NETWORK_FORWARD_NAT) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("The element can only be used when 'mode' is 'nat' in network %s"), ++ networkName); ++ goto cleanup; ++ } ++ ++ /* addresses for SNAT */ ++ nNatAddrs = virXPathNodeSet("./address", ctxt, &natAddrNodes); ++ if (nNatAddrs < 0) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("invalid
element found in of " ++ "network %s"), networkName); ++ goto cleanup; ++ } else if (nNatAddrs > 1) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("Only one
element is allowed in in " ++ " in network %s"), networkName); ++ goto cleanup; ++ } else if (nNatAddrs == 1) { ++ addr_start = virXMLPropString(*natAddrNodes, "start"); ++ if (addr_start == NULL) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("missing 'start' attribute in
element in in " ++ " in network %s"), networkName); ++ goto cleanup; ++ } ++ addr_end = virXMLPropString(*natAddrNodes, "end"); ++ if (addr_end == NULL) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("missing 'end' attribute in
element in in " ++ " in network %s"), networkName); ++ goto cleanup; ++ } ++ } ++ ++ if (addr_start && virSocketAddrParse(&def->addr_start, addr_start, AF_INET) < 0) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("Bad ipv4 start address '%s' in in in " ++ "network '%s'"), addr_start, networkName); ++ goto cleanup; ++ } ++ ++ if (addr_end && virSocketAddrParse(&def->addr_end, addr_end, AF_INET) < 0) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("Bad ipv4 end address '%s' in in in " ++ "network '%s'"), addr_end, networkName); ++ goto cleanup; ++ } ++ ++ ret = 0; ++ ++cleanup: ++ VIR_FREE(addr_start); ++ VIR_FREE(addr_end); ++ ctxt->node = save; ++ return ret; ++} ++ ++static int + virNetworkForwardDefParseXML(const char *networkName, + xmlNodePtr node, + xmlXPathContextPtr ctxt, +@@ -1334,7 +1408,8 @@ virNetworkForwardDefParseXML(const char *networkName, + xmlNodePtr *forwardIfNodes = NULL; + xmlNodePtr *forwardPfNodes = NULL; + xmlNodePtr *forwardAddrNodes = NULL; +- int nForwardIfs, nForwardAddrs, nForwardPfs; ++ xmlNodePtr *forwardNatNodes = NULL; ++ int nForwardIfs, nForwardAddrs, nForwardPfs, nForwardNats; + char *forwardDev = NULL; + char *forwardManaged = NULL; + char *type = NULL; +@@ -1384,6 +1459,24 @@ virNetworkForwardDefParseXML(const char *networkName, + goto cleanup; + } + ++ nForwardNats = virXPathNodeSet("./nat", ctxt, &forwardNatNodes); ++ if (nForwardNats < 0) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("invalid element found in of network %s"), ++ networkName); ++ goto cleanup; ++ } else if (nForwardNats > 1) { ++ virReportError(VIR_ERR_XML_ERROR, ++ _("Only one element is allowed in of network %s"), ++ networkName); ++ goto cleanup; ++ } else if (nForwardNats == 1) { ++ if (virNetworkForwardNatDefParseXML(networkName, ++ *forwardNatNodes, ++ ctxt, def) < 0) ++ goto cleanup; ++ } ++ + if (((nForwardIfs > 0) + (nForwardAddrs > 0) + (nForwardPfs > 0)) > 1) { + virReportError(VIR_ERR_XML_ERROR, + _("
, , and elements in " +@@ -1525,6 +1618,7 @@ cleanup: + VIR_FREE(forwardPfNodes); + VIR_FREE(forwardIfNodes); + VIR_FREE(forwardAddrNodes); ++ VIR_FREE(forwardNatNodes); + ctxt->node = save; + return ret; + } +@@ -2079,13 +2173,54 @@ virPortGroupDefFormat(virBufferPtr buf, + } + + static int ++virNatDefFormat(virBufferPtr buf, ++ const virNetworkForwardDefPtr fwd) ++{ ++ char *addr_start = NULL; ++ char *addr_end = NULL; ++ int ret = -1; ++ ++ if (VIR_SOCKET_ADDR_VALID(&fwd->addr_start)) { ++ addr_start = virSocketAddrFormat(&fwd->addr_start); ++ if (!addr_start) ++ goto cleanup; ++ } ++ ++ if (VIR_SOCKET_ADDR_VALID(&fwd->addr_end)) { ++ addr_end = virSocketAddrFormat(&fwd->addr_end); ++ if (!addr_end) ++ goto cleanup; ++ } ++ ++ if (!addr_end && !addr_start) ++ return 0; ++ ++ virBufferAddLit(buf, "\n"); ++ virBufferAdjustIndent(buf, 2); ++ ++ virBufferAsprintf(buf, "
\n"); ++ ++ virBufferAdjustIndent(buf, -2); ++ virBufferAsprintf(buf, "\n"); ++ ret = 0; ++ ++cleanup: ++ VIR_FREE(addr_start); ++ VIR_FREE(addr_end); ++ return ret; ++} ++ ++static int + virNetworkDefFormatInternal(virBufferPtr buf, + const virNetworkDefPtr def, + unsigned int flags) + { + unsigned char *uuid; + char uuidstr[VIR_UUID_STRING_BUFLEN]; +- int ii; ++ int ii, shortforward; + + virBufferAddLit(buf, "connections > 0)) { +@@ -2122,10 +2257,17 @@ virNetworkDefFormatInternal(virBufferPtr buf, + else + virBufferAddLit(buf, " managed='no'"); + } +- virBufferAsprintf(buf, "%s>\n", +- (def->forward.nifs || def->forward.npfs) ? "" : "/"); ++ shortforward = !(def->forward.nifs || def->forward.npfs ++ || VIR_SOCKET_ADDR_VALID(&def->forward.addr_start) ++ || VIR_SOCKET_ADDR_VALID(&def->forward.addr_end)); ++ virBufferAsprintf(buf, "%s>\n", shortforward ? "/" : ""); + virBufferAdjustIndent(buf, 2); + ++ if (def->forward.type == VIR_NETWORK_FORWARD_NAT) { ++ if (virNatDefFormat(buf, &def->forward) < 0) ++ goto error; ++ } ++ + /* For now, hard-coded to at most 1 forward.pfs */ + if (def->forward.npfs) + virBufferEscapeString(buf, "\n", +@@ -2155,7 +2297,7 @@ virNetworkDefFormatInternal(virBufferPtr buf, + } + } + virBufferAdjustIndent(buf, -2); +- if (def->forward.npfs || def->forward.nifs) ++ if (!shortforward) + virBufferAddLit(buf, "\n"); + } + +diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h +index 4c634ed..1a598e3 100644 +--- a/src/conf/network_conf.h ++++ b/src/conf/network_conf.h +@@ -174,6 +174,9 @@ struct _virNetworkForwardDef { + + size_t nifs; + virNetworkForwardIfDefPtr ifs; ++ ++ /* adresses for SNAT */ ++ virSocketAddr addr_start, addr_end; + }; + + typedef struct _virPortGroupDef virPortGroupDef; +diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c +index c834f83..6d74c1f 100644 +--- a/src/network/bridge_driver.c ++++ b/src/network/bridge_driver.c +@@ -1587,6 +1587,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + NULL) < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + forwardIf ? +@@ -1601,6 +1603,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + "udp") < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + forwardIf ? +@@ -1615,6 +1619,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + "tcp") < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + forwardIf ? +@@ -1631,12 +1637,16 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + "udp"); + masqerr4: + iptablesRemoveForwardMasquerade(driver->iptables, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + NULL); + masqerr3: + iptablesRemoveForwardAllowRelatedIn(driver->iptables, +@@ -1667,16 +1677,22 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + "tcp"); + iptablesRemoveForwardMasquerade(driver->iptables, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + "udp"); + iptablesRemoveForwardMasquerade(driver->iptables, + &ipdef->address, + prefix, + forwardIf, ++ &network->def->forward.addr_start, ++ &network->def->forward.addr_end, + NULL); + + iptablesRemoveForwardAllowRelatedIn(driver->iptables, +diff --git a/src/util/viriptables.c b/src/util/viriptables.c +index 41fe780..3f0dcf0 100644 +--- a/src/util/viriptables.c ++++ b/src/util/viriptables.c +@@ -805,11 +805,15 @@ iptablesForwardMasquerade(iptablesContext *ctx, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, ++ virSocketAddr *addr_start, ++ virSocketAddr *addr_end, + const char *protocol, + int action) + { +- int ret; +- char *networkstr; ++ int ret = -1; ++ char *networkstr = NULL; ++ char *addr_start_str = NULL; ++ char *addr_end_str = NULL; + virCommandPtr cmd = NULL; + + if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) +@@ -820,8 +824,18 @@ iptablesForwardMasquerade(iptablesContext *ctx, + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Attempted to NAT '%s'. NAT is only supported for IPv4."), + networkstr); +- VIR_FREE(networkstr); +- return -1; ++ goto cleanup; ++ } ++ ++ if (VIR_SOCKET_ADDR_IS_FAMILY(addr_start, AF_INET)) { ++ addr_start_str = virSocketAddrFormat(addr_start); ++ if (!addr_start_str) ++ goto cleanup; ++ if (VIR_SOCKET_ADDR_IS_FAMILY(addr_end, AF_INET)) { ++ addr_end_str = virSocketAddrFormat(addr_end); ++ if (!addr_end_str) ++ goto cleanup; ++ } + } + + cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action); +@@ -835,12 +849,32 @@ iptablesForwardMasquerade(iptablesContext *ctx, + if (physdev && physdev[0]) + virCommandAddArgList(cmd, "--out-interface", physdev, NULL); + +- virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL); ++ /* Use --jump SNAT if public addr is specified */ ++ if (addr_start_str && addr_start_str[0]) { ++ char tmpstr[sizeof("123.123.123.123-123.123.123.123:65535-65535")]; ++ const char *portstr = ""; ++ ++ memset(tmpstr, 0, sizeof(tmpstr)); ++ if (protocol && protocol[0]) ++ portstr = ":1024-65535"; ++ if (addr_end_str && addr_end_str[0]) { ++ snprintf(tmpstr, sizeof(tmpstr), "%s-%s%s", ++ addr_start_str, addr_end_str, portstr); ++ } else { ++ snprintf(tmpstr, sizeof(tmpstr), "%s%s", addr_start_str, portstr); ++ } + +- if (protocol && protocol[0]) +- virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL); ++ virCommandAddArgList(cmd, "--jump", "SNAT", ++ "--to-source", tmpstr, NULL); ++ } else { ++ virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL); ++ ++ if (protocol && protocol[0]) ++ virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL); ++ } + + ret = iptablesCommandRunAndFree(cmd); ++cleanup: + VIR_FREE(networkstr); + return ret; + } +@@ -863,9 +897,11 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, ++ virSocketAddr *addr_start, ++ virSocketAddr *addr_end, + const char *protocol) + { +- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, ADD); ++ return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr_start, addr_end, protocol, ADD); + } + + /** +@@ -886,9 +922,11 @@ iptablesRemoveForwardMasquerade(iptablesContext *ctx, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, ++ virSocketAddr *addr_start, ++ virSocketAddr *addr_end, + const char *protocol) + { +- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, REMOVE); ++ return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr_start, addr_end, protocol, REMOVE); + } + + +diff --git a/src/util/viriptables.h b/src/util/viriptables.h +index d7fa731..4241380 100644 +--- a/src/util/viriptables.h ++++ b/src/util/viriptables.h +@@ -107,11 +107,15 @@ int iptablesAddForwardMasquerade (iptablesContext *ctx, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, ++ virSocketAddr *addr_start, ++ virSocketAddr *addr_end, + const char *protocol); + int iptablesRemoveForwardMasquerade (iptablesContext *ctx, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, ++ virSocketAddr *addr_start, ++ virSocketAddr *addr_end, + const char *protocol); + int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, + const char *iface, +-- +1.8.1.2 + diff --git a/main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch b/main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch index 6441577b1..d77da2f2f 100644 --- a/main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch +++ b/main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch @@ -1,6 +1,6 @@ -From d1be257a85234f139c073f7c41f845065dd7246e Mon Sep 17 00:00:00 2001 +From f3531a040cf2ea1fc432a7613af4e9e823b2caa1 Mon Sep 17 00:00:00 2001 From: Natanael Copa -Date: Thu, 22 Nov 2012 13:33:23 +0100 +Date: Mon, 4 Feb 2013 10:45:23 +0100 Subject: [PATCH] util: refactor iptables command construction into multiple steps @@ -10,15 +10,25 @@ so we can add conditional options like physdev and protocol. This removes code duplication while keeping existing behaviour. Signed-off-by: Natanael Copa +Signed-off-by: Eric Blake --- - src/util/iptables.c | 130 +++++++++++++++++++++++----------------------------- - 1 file changed, 58 insertions(+), 72 deletions(-) + src/util/viriptables.c | 132 ++++++++++++++++++++++--------------------------- + 1 file changed, 59 insertions(+), 73 deletions(-) -diff --git a/src/util/iptables.c b/src/util/iptables.c -index 00a1c29..407ca3a 100644 ---- a/src/util/iptables.c -+++ b/src/util/iptables.c -@@ -127,15 +127,10 @@ iptRulesNew(const char *table, +diff --git a/src/util/viriptables.c b/src/util/viriptables.c +index 2c4290a..41fe780 100644 +--- a/src/util/viriptables.c ++++ b/src/util/viriptables.c +@@ -1,7 +1,7 @@ + /* + * viriptables.c: helper APIs for managing iptables + * +- * Copyright (C) 2007-2012 Red Hat, Inc. ++ * Copyright (C) 2007-2013 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -129,15 +129,10 @@ iptRulesNew(const char *table, return NULL; } @@ -36,7 +46,7 @@ index 00a1c29..407ca3a 100644 #if HAVE_FIREWALLD virIpTablesInitialize(); if (firewall_cmd_path) { -@@ -152,16 +147,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action, +@@ -154,16 +149,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action, virCommandAddArgList(cmd, "--table", rules->table, action == ADD ? "--insert" : "--delete", @@ -77,7 +87,7 @@ index 00a1c29..407ca3a 100644 } /** -@@ -370,28 +385,24 @@ iptablesForwardAllowOut(iptablesContext *ctx, +@@ -372,28 +387,24 @@ iptablesForwardAllowOut(iptablesContext *ctx, { int ret; char *networkstr; @@ -109,7 +119,7 @@ index 00a1c29..407ca3a 100644 + action); + virCommandAddArgList(cmd, + "--source", networkstr, -+ "--in-interface", iface, NULL); ++ "--in-interface", iface, NULL); + + if (physdev && physdev[0]) + virCommandAddArgList(cmd, "--out-interface", physdev, NULL); @@ -120,7 +130,7 @@ index 00a1c29..407ca3a 100644 VIR_FREE(networkstr); return ret; } -@@ -797,6 +808,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, +@@ -799,6 +810,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, { int ret; char *networkstr; @@ -128,7 +138,7 @@ index 00a1c29..407ca3a 100644 if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; -@@ -810,49 +822,23 @@ iptablesForwardMasquerade(iptablesContext *ctx, +@@ -812,49 +824,23 @@ iptablesForwardMasquerade(iptablesContext *ctx, return -1; } @@ -196,5 +206,5 @@ index 00a1c29..407ca3a 100644 return ret; } -- -1.8.0.1 +1.8.1.2 diff --git a/main/libvirt/0002-net-add-support-for-specifying-port-range-for-forwar.patch b/main/libvirt/0002-net-add-support-for-specifying-port-range-for-forwar.patch new file mode 100644 index 000000000..3c1a32f10 --- /dev/null +++ b/main/libvirt/0002-net-add-support-for-specifying-port-range-for-forwar.patch @@ -0,0 +1,379 @@ +From acca897f2d0631e2acd4c5c53fd57a4d0a3eb712 Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Mon, 11 Feb 2013 10:08:56 +0100 +Subject: [PATCH 2/2] net: add support for specifying port range for forward + mode nat + +Let users set the port range to be used for forward mode NAT: + +... + + + + + +... + +Signed-off-by: Natanael Copa +--- + docs/formatnetwork.html.in | 21 ++++++++++++++--- + src/conf/network_conf.c | 57 +++++++++++++++++++++++++++++++++++++++------ + src/conf/network_conf.h | 3 ++- + src/network/bridge_driver.c | 16 +++++++++++++ + src/util/viriptables.c | 39 ++++++++++++++++++++++++------- + src/util/viriptables.h | 4 ++++ + 6 files changed, 120 insertions(+), 20 deletions(-) + +diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in +index 5fbd0a9..adb5bb9 100644 +--- a/docs/formatnetwork.html.in ++++ b/docs/formatnetwork.html.in +@@ -138,9 +138,11 @@ + 0.4.2 + +

Since 1.0.3 it is possible to +- specify a public IPv4 address range to be used for the NAT by +- using the <nat> and +- <address> subelements. ++ specify a public IPv4 address and port range to be used for ++ the NAT by using the <nat> subelement. ++ The address range is set with the <address> ++ subelements and start and stop ++ attributes: + 

+ ...
+   <forward mode='nat'>
+@@ -154,6 +156,19 @@
+             start and end attributes to
+             the same value.
+             

++            

++            The port range to be used for the <nat> can
++            be set via the subelement <port>:
++            
++...
++  <forward mode='nat'>
++    <nat>
++      <port start='500' end='1000'/>
++    </nat>
++  </forward>
++...
++            

++            

+           
+ 
+           
route

+diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
+index 61d086a..5725800 100644
+--- a/src/conf/network_conf.c
++++ b/src/conf/network_conf.c
+@@ -1332,7 +1332,8 @@ virNetworkForwardNatDefParseXML(const char *networkName,
+ {
+     int ret = -1;
+     xmlNodePtr *natAddrNodes = NULL;
+-    int nNatAddrs;
++    xmlNodePtr *natPortNodes = NULL;
++    int nNatAddrs, nNatPorts;
+     char *addr_start = NULL;
+     char *addr_end = NULL;
+     xmlNodePtr save = ctxt->node;
+@@ -1389,6 +1390,36 @@ virNetworkForwardNatDefParseXML(const char *networkName,
+         goto cleanup;
+     }
+ 
++    /* ports for SNAT and MASQUERADE */
++    nNatPorts = virXPathNodeSet("./port", ctxt, &natPortNodes);
++    if (nNatPorts < 0) {
++        virReportError(VIR_ERR_XML_ERROR,
++                       _("invalid  element found in  of "
++                         "network %s"), networkName);
++        goto cleanup;
++    } else if (nNatPorts > 1) {
++        virReportError(VIR_ERR_XML_ERROR,
++                       _("Only one  element is allowed in  in "
++                         " in network %s"), networkName);
++        goto cleanup;
++    } else if (nNatPorts == 1) {
++        if (virXPathUInt("string(./port[1]/@start)", ctxt, &def->port_start) < 0
++            || def->port_start > 65535) {
++
++            virReportError(VIR_ERR_XML_DETAIL,
++                           _("Missing or invalid 'start' attribute in  "
++                             "in  in  in network %s"),
++                             networkName);
++            goto cleanup;
++        }
++        if (virXPathUInt("string(./port[1]/@end)", ctxt, &def->port_end) < 0
++            || def->port_end > 65535 || def->port_end < def->port_start) {
++            virReportError(VIR_ERR_XML_DETAIL,
++                           _("Missing or invalid 'end' attribute in  in "
++                             " in  in network %s"), networkName);
++            goto cleanup;
++        }
++    }
+     ret = 0;
+ 
+ cleanup:
+@@ -2179,6 +2210,7 @@ virNatDefFormat(virBufferPtr buf,
+     char *addr_start = NULL;
+     char *addr_end = NULL;
+     int ret = -1;
++    int longdef;
+ 
+     if (VIR_SOCKET_ADDR_VALID(&fwd->addr_start)) {
+         addr_start = virSocketAddrFormat(&fwd->addr_start);
+@@ -2192,16 +2224,25 @@ virNatDefFormat(virBufferPtr buf,
+             goto cleanup;
+     }
+ 
+-    if (!addr_end && !addr_start)
++    if (!addr_start && !addr_end && !fwd->port_start && !fwd->port_end)
+         return 0;
+ 
+     virBufferAddLit(buf, "\n");
+     virBufferAdjustIndent(buf, 2);
+ 
+-    virBufferAsprintf(buf, "
\n");
++    if (addr_start) {
++        virBufferAsprintf(buf, "
\n");
++    }
++
++    if (fwd->port_start || fwd->port_end) {
++        virBufferAsprintf(buf, "port_start);
++        if (fwd->port_end)
++            virBufferAsprintf(buf, " end='%d'", fwd->port_end);
++        virBufferAsprintf(buf, "/>\n");
++    }
+ 
+     virBufferAdjustIndent(buf, -2);
+     virBufferAsprintf(buf, "\n");
+@@ -2259,7 +2300,9 @@ virNetworkDefFormatInternal(virBufferPtr buf,
+         }
+         shortforward = !(def->forward.nifs || def->forward.npfs
+                          || VIR_SOCKET_ADDR_VALID(&def->forward.addr_start)
+-                         || VIR_SOCKET_ADDR_VALID(&def->forward.addr_end));
++                         || VIR_SOCKET_ADDR_VALID(&def->forward.addr_end)
++                         || def->forward.port_start
++                         || def->forward.port_end);
+         virBufferAsprintf(buf, "%s>\n", shortforward ? "/" : "");
+         virBufferAdjustIndent(buf, 2);
+ 
+diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
+index 1a598e3..7df2426 100644
+--- a/src/conf/network_conf.h
++++ b/src/conf/network_conf.h
+@@ -175,8 +175,9 @@ struct _virNetworkForwardDef {
+     size_t nifs;
+     virNetworkForwardIfDefPtr ifs;
+ 
+-    /* adresses for SNAT */
++    /* ranges for NAT */
+     virSocketAddr addr_start, addr_end;
++    unsigned int port_start, port_end;
+ };
+ 
+ typedef struct _virPortGroupDef virPortGroupDef;
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index 6d74c1f..5c83085 100644
+--- a/src/network/bridge_driver.c
++++ b/src/network/bridge_driver.c
+@@ -1589,6 +1589,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
+                                      forwardIf,
+                                      &network->def->forward.addr_start,
+                                      &network->def->forward.addr_end,
++                                     network->def->forward.port_start,
++                                     network->def->forward.port_end,
+                                      NULL) < 0) {
+         virReportError(VIR_ERR_SYSTEM_ERROR,
+                        forwardIf ?
+@@ -1605,6 +1607,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
+                                      forwardIf,
+                                      &network->def->forward.addr_start,
+                                      &network->def->forward.addr_end,
++                                     network->def->forward.port_start,
++                                     network->def->forward.port_end,
+                                      "udp") < 0) {
+         virReportError(VIR_ERR_SYSTEM_ERROR,
+                        forwardIf ?
+@@ -1621,6 +1625,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
+                                      forwardIf,
+                                      &network->def->forward.addr_start,
+                                      &network->def->forward.addr_end,
++                                     network->def->forward.port_start,
++                                     network->def->forward.port_end,
+                                      "tcp") < 0) {
+         virReportError(VIR_ERR_SYSTEM_ERROR,
+                        forwardIf ?
+@@ -1639,6 +1645,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
+                                     forwardIf,
+                                     &network->def->forward.addr_start,
+                                     &network->def->forward.addr_end,
++                                    network->def->forward.port_start,
++                                    network->def->forward.port_end,
+                                     "udp");
+  masqerr4:
+     iptablesRemoveForwardMasquerade(driver->iptables,
+@@ -1647,6 +1655,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
+                                     forwardIf,
+                                     &network->def->forward.addr_start,
+                                     &network->def->forward.addr_end,
++                                    network->def->forward.port_start,
++                                    network->def->forward.port_end,
+                                     NULL);
+  masqerr3:
+     iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+@@ -1679,6 +1689,8 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver,
+                                         forwardIf,
+                                         &network->def->forward.addr_start,
+                                         &network->def->forward.addr_end,
++                                        network->def->forward.port_start,
++                                        network->def->forward.port_end,
+                                         "tcp");
+         iptablesRemoveForwardMasquerade(driver->iptables,
+                                         &ipdef->address,
+@@ -1686,6 +1698,8 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver,
+                                         forwardIf,
+                                         &network->def->forward.addr_start,
+                                         &network->def->forward.addr_end,
++                                        network->def->forward.port_start,
++                                        network->def->forward.port_end,
+                                         "udp");
+         iptablesRemoveForwardMasquerade(driver->iptables,
+                                         &ipdef->address,
+@@ -1693,6 +1707,8 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver,
+                                         forwardIf,
+                                         &network->def->forward.addr_start,
+                                         &network->def->forward.addr_end,
++                                        network->def->forward.port_start,
++                                        network->def->forward.port_end,
+                                         NULL);
+ 
+         iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+diff --git a/src/util/viriptables.c b/src/util/viriptables.c
+index 3f0dcf0..aa48520 100644
+--- a/src/util/viriptables.c
++++ b/src/util/viriptables.c
+@@ -807,6 +807,8 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+                           const char *physdev,
+                           virSocketAddr *addr_start,
+                           virSocketAddr *addr_end,
++                          unsigned int port_start,
++                          unsigned int port_end,
+                           const char *protocol,
+                           int action)
+ {
+@@ -815,6 +817,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+     char *addr_start_str = NULL;
+     char *addr_end_str = NULL;
+     virCommandPtr cmd = NULL;
++    char port_str[sizeof(":65535-65535")] = "";
+ 
+     if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
+         return -1;
+@@ -849,19 +852,27 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+     if (physdev && physdev[0])
+         virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
+ 
++    if (protocol && protocol[0]) {
++        if (port_start == 0 && port_end == 0) {
++            port_start = 1024;
++            port_end = 65535;
++        }
++
++        if (port_start < port_end && port_end < 65536)
++            snprintf(port_str, sizeof(port_str), ":%d-%d",
++                     port_start, port_end);
++    }
++
+     /* Use --jump SNAT if public addr is specified */
+     if (addr_start_str && addr_start_str[0]) {
+         char tmpstr[sizeof("123.123.123.123-123.123.123.123:65535-65535")];
+-        const char *portstr = "";
+ 
+         memset(tmpstr, 0, sizeof(tmpstr));
+-        if (protocol && protocol[0])
+-            portstr = ":1024-65535";
+         if (addr_end_str && addr_end_str[0]) {
+             snprintf(tmpstr, sizeof(tmpstr), "%s-%s%s",
+-                     addr_start_str, addr_end_str, portstr);
++                     addr_start_str, addr_end_str, port_str);
+         } else {
+-            snprintf(tmpstr, sizeof(tmpstr), "%s%s", addr_start_str, portstr);
++            snprintf(tmpstr, sizeof(tmpstr), "%s%s", addr_start_str, port_str);
+         }
+ 
+         virCommandAddArgList(cmd, "--jump", "SNAT",
+@@ -869,8 +880,8 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+      } else {
+          virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
+ 
+-         if (protocol && protocol[0])
+-             virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL);
++         if (port_str[0])
++             virCommandAddArgList(cmd, "--to-ports", &port_str[1], NULL);
+      }
+ 
+     ret = iptablesCommandRunAndFree(cmd);
+@@ -899,9 +910,14 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
+                              const char *physdev,
+                              virSocketAddr *addr_start,
+                              virSocketAddr *addr_end,
++                             unsigned int port_start,
++                             unsigned int port_end,
+                              const char *protocol)
+ {
+-    return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr_start, addr_end, protocol, ADD);
++    return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev,
++                                     addr_start, addr_end,
++                                     port_start, port_end,
++                                     protocol, ADD);
+ }
+ 
+ /**
+@@ -924,9 +940,14 @@ iptablesRemoveForwardMasquerade(iptablesContext *ctx,
+                                 const char *physdev,
+                                 virSocketAddr *addr_start,
+                                 virSocketAddr *addr_end,
++                                unsigned int port_start,
++                                unsigned int port_end,
+                                 const char *protocol)
+ {
+-    return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr_start, addr_end, protocol, REMOVE);
++    return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev,
++                                     addr_start, addr_end,
++                                     port_start, port_end,
++                                     protocol, REMOVE);
+ }
+ 
+ 
+diff --git a/src/util/viriptables.h b/src/util/viriptables.h
+index 4241380..f2db368 100644
+--- a/src/util/viriptables.h
++++ b/src/util/viriptables.h
+@@ -109,6 +109,8 @@ int              iptablesAddForwardMasquerade    (iptablesContext *ctx,
+                                                   const char *physdev,
+                                                   virSocketAddr *addr_start,
+                                                   virSocketAddr *addr_end,
++                                                  unsigned int port_start,
++                                                  unsigned int port_end,
+                                                   const char *protocol);
+ int              iptablesRemoveForwardMasquerade (iptablesContext *ctx,
+                                                   virSocketAddr *netaddr,
+@@ -116,6 +118,8 @@ int              iptablesRemoveForwardMasquerade (iptablesContext *ctx,
+                                                   const char *physdev,
+                                                   virSocketAddr *addr_start,
+                                                   virSocketAddr *addr_end,
++                                                  unsigned int port_start,
++                                                  unsigned int port_end,
+                                                   const char *protocol);
+ int              iptablesAddOutputFixUdpChecksum (iptablesContext *ctx,
+                                                   const char *iface,
+-- 
+1.8.1.2
+
diff --git a/main/libvirt/APKBUILD b/main/libvirt/APKBUILD
index fb246694d..836fd2f42 100644
--- a/main/libvirt/APKBUILD
+++ b/main/libvirt/APKBUILD
@@ -1,10 +1,8 @@
 # Maintainer: Leonardo Arena 
 pkgname=libvirt
-vmajor="1.0.0"
-vminor=""
-pkgver="${vmajor}"
+pkgver="1.0.2"
 _ver="${pkgver/_rc/-rc}"
-pkgrel=2
+pkgrel=0
 pkgdesc="A virtualization API for several hypervisor and container systems"
 url="http://libvirt.org/"
 arch="all"
@@ -14,7 +12,7 @@ makedepends="augeas-dev bridge-utils cyrus-sasl-dev device-mapper
 	e2fsprogs-dev gnutls-dev libcap-ng-dev libgpg-error-dev 
 	libnetcf-dev libnl-dev libxml2-dev libxslt-dev libtasn1-dev 
 	lvm2-dev lxc-dev gnutls-dev libgcrypt-dev parted-dev perl pkgconfig 
-	udev-dev zlib-dev yajl-dev libpcap-dev curl-dev"
+	udev-dev zlib-dev yajl-dev libpcap-dev curl-dev libpciaccess-dev"
 install=
 subpackages="$pkgname-client $pkgname-daemon $pkgname-dev $pkgname-doc $pkgname-lang
 	$pkgname-lxc $pkgname-qemu $pkgname-uml"
@@ -22,9 +20,13 @@ source="http://libvirt.org/sources/$pkgname-$pkgver.tar.gz
 	libvirt.confd
 	libvirt.initd
 	uclibc-physmem.patch
-	libvirt-1.0.0-remove-uclibc-mkostemp-redefine.patch
 	0001-util-refactor-iptables-command-construction-into-mul.patch
-	0001-net-support-set-public-ip-for-forward-mode-nat.patch
+
+	0001-net-support-set-public-ip-range-for-forward-mode-nat.patch
+	0002-net-add-support-for-specifying-port-range-for-forwar.patch
+
+	0001-complete-virterror-virerror-name-change.patch
+	0001-Fix-missing-error-constants-in-libvirt-python-module.patch
 	"
 
 if [ "$ALPINE_LIBC" != "eglibc" ]; then
@@ -32,10 +34,10 @@ if [ "$ALPINE_LIBC" != "eglibc" ]; then
 	makedepends="$makedepends xen-dev"
 fi
 
-_builddir="$srcdir"/$pkgname-$vmajor
+_builddir="$srcdir"/$pkgname-$pkgver
 
 prepare() {
-        cd "$_builddir"
+        cd "$_builddir" || return 1
         for patch in $source; do
                 case $patch in
                 # we concider patches with uclibc in its name
@@ -104,50 +106,52 @@ client() {
 }
 
 _mv_driver() {
-	mkdir -p "$subpkgdir"/usr/lib/libvirt/connection-driver \
-	 "$subpkgdir"/etc/libvirt "$subpkgdir"/etc/logrotate.d
-	mv "$pkgdir"/usr/lib/libvirt/connection-driver/libvirt_driver_$1.so \
-	 "$subpkgdir"/usr/lib/libvirt/connection-driver/
-	if [ "$1" != "xen" ]; then
-		mv "$pkgdir"/etc/logrotate.d/libvirtd.$1 \
-		 "$subpkgdir"/etc/logrotate.d/
+	local _name="$1" _driver="$2" _pkg="$3"
+	pkgdesc="$_name driver for libvirt"
+	depends="libvirt-daemon logrotate"
+	replaces="libvirt"
+	if [ -n "$_pkg" ]; then
+		install_if="$pkgname-daemon=$pkgver-r$pkgrel $_pkg"
+	else
+		install_if=
+	fi
+	local _dir=/usr/lib/libvirt/connection-driver
+	mkdir -p "$subpkgdir"/$_dir \
+		"$subpkgdir"/etc/libvirt \
+		"$subpkgdir"/etc/logrotate.d
+
+	mv "$pkgdir"/$_dir/libvirt_driver_$_driver.so "$subpkgdir"/$_dir/ \
+		|| return 1
+
+	if [ -e "$pkgdir"/etc/logrotate.d/libvirtd.$_driver ]; then
+		mv "$pkgdir"/etc/logrotate.d/libvirtd.$_driver \
+			"$subpkgdir"/etc/logrotate.d/
 	fi
 }
 
 qemu() {
-	pkgdesc="QEMU driver for libvirt"
-	depends="libvirt-daemon logrotate"
-	replaces="libvirt"
-	_mv_driver qemu
+	_mv_driver "QEMU" qemu qemu
 	mv "$pkgdir"/etc/libvirt/qemu.conf "$subpkgdir"/etc/libvirt/
 }
 
 xen() {
-	pkgdesc="XEN driver for libvirt"
-	depends="libvirt-daemon"
-	replaces="libvirt"
-	_mv_driver xen
+	_mv_driver "XEN" xen xen
 }
 
 lxc() {
-	pkgdesc="lxc driver for libvirt"
-	depends="libvirt-daemon logrotate"
-	replaces="libvirt"
-	_mv_driver lxc
+	_mv_driver "LXC" lxc lxc
 }
 
 uml() {
-	pkgdesc="UML driver for libvirt"
-	depends="libvirt-daemon logrotate"
-	replaces="libvirt"
-	_mv_driver uml
+	_mv_driver "UML" uml
 }
 
-md5sums="7c8b006de7338e30866bb56738803b21  libvirt-1.0.0.tar.gz
+md5sums="7e268ed702c4331d393e5b43449cae13  libvirt-1.0.2.tar.gz
 1c84a7baeafe0a7f4e9d7ae5180311b7  libvirt.confd
 d897df38c7e7fa1a297aa551108633c9  libvirt.initd
 df9cbfaf8a6e520a4822914a300add4d  uclibc-physmem.patch
-e992133db641b20cb43dda704518984d  libvirt-1.0.0-remove-uclibc-mkostemp-redefine.patch
-671eb364f071e67f58ab2c01ec357567  0001-util-refactor-iptables-command-construction-into-mul.patch
-20ef9eab94e9a52aa401ddbcb066aeb2  0001-net-support-set-public-ip-for-forward-mode-nat.patch"
-
+98a496d6d606c3406e6f8b03c3b25028  0001-util-refactor-iptables-command-construction-into-mul.patch
+05789e003f4b90808b6898e9d72ad8f4  0001-net-support-set-public-ip-range-for-forward-mode-nat.patch
+de01f68b563a51dd39b873c5eade0f25  0002-net-add-support-for-specifying-port-range-for-forwar.patch
+854982416fafeabbeca06e807c868a9c  0001-complete-virterror-virerror-name-change.patch
+dcb427eeceb5dcb79e5ea8eef748e44d  0001-Fix-missing-error-constants-in-libvirt-python-module.patch"
diff --git a/main/libvirt/libvirt-1.0.0-remove-uclibc-mkostemp-redefine.patch b/main/libvirt/libvirt-1.0.0-remove-uclibc-mkostemp-redefine.patch
deleted file mode 100644
index f7e5a5e14..000000000
--- a/main/libvirt/libvirt-1.0.0-remove-uclibc-mkostemp-redefine.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/src/util/logging.c
-+++ b/src/util/logging.c
-@@ -58,11 +58,6 @@
- 
- #define VIR_FROM_THIS VIR_FROM_NONE
- 
--#ifdef __UCLIBC__
--/* uclibc does not implement mkostemp GNU extention */
--#define mkostemp(x,y) mkstemp(x)
--#endif
--
- VIR_ENUM_DECL(virLogSource)
- VIR_ENUM_IMPL(virLogSource, VIR_LOG_FROM_LAST,
-               "file",
-- 
cgit v1.2.3