Re: [libvirt] [RFC PATCHv2 3/9] reverse sense of address matching
On Wed, Oct 05, 2011 at 08:08:48AM -0700, David L Stevens wrote:
This patch changes rules of the form:
if ! addr drop
accept
to:
if addr return
...
drop
The patch adds a "mac" chain to do a mac address list and separates the
"arp"
chain into separate "arpmac" and "arpip" chains that can check
multiple MAC
or IP addresses in any combination. This patch itself does not support multiple
addresses via the MAC and IP variables, but only changes the form of the rules
to allow multiple addresses in the future.
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index e0c2fb6..31199cb 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable,
VIR_NWFILTER_EBTABLES_TABLE_LAST,
VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
"root",
- "arp",
+ "mac",
+ "arpmac",
+ "arpip",
"rarp",
"ipv4",
"ipv6");
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index c96851a..17e954e 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -428,7 +428,9 @@ struct _virNWFilterEntry {
enum virNWFilterChainSuffixType {
VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
- VIR_NWFILTER_CHAINSUFFIX_ARP,
+ VIR_NWFILTER_CHAINSUFFIX_MAC,
+ VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
+ VIR_NWFILTER_CHAINSUFFIX_ARPIP,
VIR_NWFILTER_CHAINSUFFIX_RARP,
VIR_NWFILTER_CHAINSUFFIX_IPv4,
VIR_NWFILTER_CHAINSUFFIX_IPv6,
This looks like it is breaking compatibility of NWFilter XML with
previously deployed libvirt releases.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|