On 01/11/2012 12:42 PM, Stefan Berger wrote:
Fix a typing error in the no-ip-spoofing filter. Return DHCP request packets passing through this filter. Have the user use another filter to actually allow DHCP requests to be sent (action='accept').
--- examples/xml/nwfilter/no-ip-spoofing.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml @@ -1,7 +1,7 @@ <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> - <!-- allow DHCP requests --> - <rule action='accept' direction='out' priority='100'> - <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' srcportend='68'/> + <!-- allow DHCP requests sent from 0.0.0.0 --> + <rule action='return' direction='out' priority='100'>
I see how the action='accept' vs. action='return' makes a difference here, if the user has other rules after calling this filter that they still want to use.
+ <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' dstportstart='67'/>
but I'm a bit lost as to why srcportend='68' needs to be changed to dstportstart='67'. Assuming you can explain this change, then ACK. Meanwhile, this file under examples/ differs from the text in formatnwfilter.html.in which also defines a filter named no-ip-spoofing; is that a discrepancy where the docs should be updated to accurately describe what is our best state-of-the-art in the examples, or is it something where we should just mention in the docs that the docs are shorter versions for discussion, and to see examples/ for a more complete version. But fixing that can be a separate patch. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org