12:22 p.m.
This patch extends the filter XML to support priorities of chains
in the XML. An example would be:
<filter name='allow-arpxyz' chain='arp-xyz' priority='200'>
[...]
</filter>
The permitted values for priorities are [-1000, 1000].
By setting the pririty of a chain the order in which it is accessed
from the interface root chain can be influenced.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
docs/schemas/nwfilter.rng | 7 ++++++-
src/conf/nwfilter_conf.c | 42 +++++++++++++++++++++++++++++++++++++-----
2 files changed, 43 insertions(+), 6 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -2012,7 +2012,9 @@ virNWFilterDefParseXML(xmlXPathContextPt
xmlNodePtr curr = ctxt->node;
char *uuid = NULL;
char *chain = NULL;
+ char *chain_pri_s = NULL;
virNWFilterEntryPtr entry;
+ int chain_priority;
if (VIR_ALLOC(ret) < 0) {
virReportOOMError();
@@ -2026,6 +2028,26 @@ virNWFilterDefParseXML(xmlXPathContextPt
goto cleanup;
}
+ chain_pri_s = virXPathString("string(./@priority)", ctxt);
+ if (chain_pri_s) {
+ if (sscanf(chain_pri_s, "%d", &chain_priority) != 1) {
+ virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Could not parse chain priority
'%s'"),
+ chain_pri_s);
+ goto cleanup;
+ }
+ if (chain_priority < NWFILTER_MIN_FILTER_PRIORITY ||
+ chain_priority > NWFILTER_MAX_FILTER_PRIORITY) {
+ virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Priority '%d' is outside valid "
+ "range of [%d,%d]"),
+ chain_priority,
+ NWFILTER_MIN_FILTER_PRIORITY,
+ NWFILTER_MAX_FILTER_PRIORITY);
+ goto cleanup;
+ }
+ }
+
chain = virXPathString("string(./@chain)", ctxt);
if (chain) {
if (virNWFilterChainSuffixTypeFromString(chain) < 0) {
@@ -2034,11 +2056,16 @@ virNWFilterDefParseXML(xmlXPathContextPt
goto cleanup;
}
ret->chainsuffix = chain;
- /* assign an implicit priority -- support XML attribute later */
- if (intMapGetByString(chain_priorities, chain, 0,
- &ret->chainPriority) == false) {
- ret->chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
- NWFILTER_MIN_FILTER_PRIORITY) / 2;
+
+ if (chain_pri_s) {
+ ret->chainPriority = chain_priority;
+ } else {
+ /* assign an implicit priority -- support XML attribute later */
+ if (intMapGetByString(chain_priorities, chain, 0,
+ &ret->chainPriority) == false) {
+ ret->chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
+ NWFILTER_MIN_FILTER_PRIORITY) / 2;
+ }
}
chain = NULL;
} else {
@@ -2095,6 +2122,7 @@ virNWFilterDefParseXML(xmlXPathContextPt
}
VIR_FREE(chain);
+ VIR_FREE(chain_pri_s);
return ret;
@@ -2102,6 +2130,7 @@ virNWFilterDefParseXML(xmlXPathContextPt
virNWFilterDefFree(ret);
VIR_FREE(chain);
VIR_FREE(uuid);
+ VIR_FREE(chain_pri_s);
return NULL;
}
@@ -2914,6 +2943,9 @@ virNWFilterDefFormat(virNWFilterDefPtr d
virBufferAsprintf(&buf, "<filter name='%s'
chain='%s'",
def->name,
def->chainsuffix);
+ if (def->chainPriority != 0)
+ virBufferAsprintf(&buf, " priority='%d'",
+ def->chainPriority);
virBufferAddLit(&buf, ">\n");
virUUIDFormat(def->uuid, uuid);
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -293,6 +293,11 @@
</choice>
</attribute>
</optional>
+ <optional>
+ <attribute name="priority">
+ <ref name='priority-type'/>
+ </attribute>
+ </optional>
</define>
<define name="filterref-node-attributes">
@@ -879,7 +884,7 @@
<define name='priority-type'>
<data type="int">
- <param name="minInclusive">0</param>
+ <param name="minInclusive">-1000</param>
<param name="maxInclusive">1000</param>
</data>
</define>