+vserver_bcaps2text(PyObject *self, PyObject *args)
+{
+ struct vc_ctx_caps caps = { .bcaps = 0 };
+ PyObject *list;
+ const char *cap;
+
+ if (!PyArg_ParseTuple(args, "K", &caps.bcaps))
+ return NULL;
+
+ list = PyString_FromString("");
+
+ while ((cap = vc_lobcap2text(&caps.bcaps)) != NULL) {
+ if (list == NULL)
+ break;
+ PyString_ConcatAndDel(&list, PyString_FromFormat(
+ (PyString_Size(list) > 0 ? ",CAP_%s" : "CAP_%s" ),
+ cap));
+ }
+
+ return list;
+}
+
+static inline int
+convert_address(const char *str, struct vc_net_addr *addr)
+{
+ void *dst;
+ if (inet_pton(AF_INET6, str, addr->vna_v6_ip.s6_addr) > 0) {
+ addr->vna_type = VC_NXA_TYPE_IPV6;
+ return 0;
+ }
+ else if (inet_pton(AF_INET, str, &addr->vna_v4_ip.s_addr) > 0) {
+ addr->vna_type = VC_NXA_TYPE_IPV4;
+ return 0;
+ }
+ return -1;
+}
+
+static int
+mask_to_prefix(void *data, int limit)
+{
+ uint8_t *mask = data;
+ int prefix;
+ for (prefix = 0; prefix < limit && mask[prefix >> 3] & (1 << (prefix & 0x07)); prefix++)
+ ;
+ return prefix;
+}
+
+static int
+get_mask(struct vc_net_addr *addr)
+{
+ struct ifaddrs *head, *ifa;
+ int ret = 0;
+ int family, offset, len;
+ void *ip;
+
+ switch (addr->vna_type) {
+ case VC_NXA_TYPE_IPV4:
+ family = AF_INET;
+ offset = offsetof(struct sockaddr_in, sin_addr.s_addr);
+ ip = &addr->vna_v4_ip.s_addr;
+ len = 4;
+ addr->vna_v4_mask.s_addr = htonl(0xffffff00);
+ addr->vna_prefix = 24;
+ break;
+ case VC_NXA_TYPE_IPV6:
+ family = AF_INET6;
+ offset = offsetof(struct sockaddr_in6, sin6_addr.s6_addr);
+ ip = addr->vna_v6_ip.s6_addr;
+ len = 16;
+ addr->vna_v6_mask.s6_addr32[9] = addr->vna_v6_mask.s6_addr32[1] = 0xffffffff;
+ addr->vna_v6_mask.s6_addr32[2] = addr->vna_v6_mask.s6_addr32[3] = 0x00000000;
+ addr->vna_prefix = 64;
+ break;
+ default:
+ errno = -EINVAL;
+ return -1;
+ }
+
+ if (getifaddrs(&head) == -1)
+ return -1;
+ for (ifa = head; ifa; ifa = ifa->ifa_next) {
+ if (ifa->ifa_addr->sa_family == family &&
+ memcmp((char *) ifa->ifa_addr + offset, ip, len) == 0) {
+ switch (addr->vna_type) {
+ case VC_NXA_TYPE_IPV4:
+ memcpy(&addr->vna_v4_mask.s_addr, ifa->ifa_netmask + offset, len);
+ addr->vna_prefix = mask_to_prefix(&addr->vna_v4_mask.s_addr, 32);
+ break;
+ case VC_NXA_TYPE_IPV6:
+ memcpy(addr->vna_v6_mask.s6_addr, ifa->ifa_netmask + offset, len);
+ addr->vna_prefix = mask_to_prefix(addr->vna_v6_mask.s6_addr, 128);
+ break;
+ }
+ ret = 1;
+ break;
+ }
+ }
+ freeifaddrs(head);
+ return ret;
+}
+
+/* XXX These two functions are really similar */
+static PyObject *
+vserver_net_add(PyObject *self, PyObject *args)
+{
+ struct vc_net_addr addr;
+ nid_t nid;
+ const char *ip;
+
+ if (!PyArg_ParseTuple(args, "Is", &nid, &ip))
+ return NULL;
+
+ if (convert_address(ip, &addr) == -1)
+ return PyErr_Format(PyExc_ValueError, "%s is not a valid IP address", ip);
+
+ switch (get_mask(&addr)) {
+ case -1:
+ return PyErr_SetFromErrno(PyExc_OSError);
+ case 0:
+ /* XXX error here? */
+ break;
+ }
+ addr.vna_type |= VC_NXA_TYPE_ADDR;
+
+ if (vc_net_add(nid, &addr) == -1 && errno != ESRCH)
+ return PyErr_SetFromErrno(PyExc_OSError);
+
+ return NONE;
+}
+
+static PyObject *
+vserver_net_remove(PyObject *self, PyObject *args)
+{
+ struct vc_net_addr addr;
+ nid_t nid;
+ const char *ip;
+
+ if (!PyArg_ParseTuple(args, "Is", &nid, &ip))
+ return NULL;
+
+ if (strcmp(ip, "all") == 0)
+ addr.vna_type = VC_NXA_TYPE_ANY;
+ else if (strcmp(ip, "all4") == 0)
+ addr.vna_type = VC_NXA_TYPE_IPV6 | VC_NXA_TYPE_ANY;
+ else if (strcmp(ip, "all6") == 0)
+ addr.vna_type = VC_NXA_TYPE_IPV6 | VC_NXA_TYPE_ANY;
+ else {
+ if (convert_address(ip, &addr) == -1)
+ return PyErr_Format(PyExc_ValueError, "%s is not a valid IP address", ip);
+ addr.vna_type |= VC_NXA_TYPE_ADDR;
+ }
+
+ switch (get_mask(&addr)) {
+ case -1:
+ return PyErr_SetFromErrno(PyExc_OSError);
+ }
+
+ if (vc_net_remove(nid, &addr) == -1 && errno != ESRCH)
+ return PyErr_SetFromErrno(PyExc_OSError);
+
+ return NONE;
+}
+
+struct secure_dirs {
+ int host_fd;
+ int cwd_fd;
+ int guest_fd;
+ int target_fd;
+};
+
+static inline int
+fchroot(int fd)