Re: [libvirt] [PATCH] nwfilter: fix typing error in filter
On 01/11/2012 12:42 PM, Stefan Berger wrote:
Fix a typing error in the no-ip-spoofing filter.
Return DHCP request packets passing through this filter. Have
the user use another filter to actually allow DHCP requests to be
sent (action='accept').
---
examples/xml/nwfilter/no-ip-spoofing.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml
+++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -1,7 +1,7 @@
<filter name='no-ip-spoofing' chain='ipv4-ip'
priority='-710'>
- <!-- allow DHCP requests -->
- <rule action='accept' direction='out' priority='100'>
- <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68'
srcportend='68'/>
+ <!-- allow DHCP requests sent from 0.0.0.0 -->
+ <rule action='return' direction='out' priority='100'>
I see how the action='accept' vs. action='return' makes a difference
here, if the user has other rules after calling this filter that they
still want to use.
+ <ip srcipaddr='0.0.0.0' protocol='udp'
srcportstart='68'
dstportstart='67'/>
but I'm a bit lost as to why srcportend='68' needs to be changed to
dstportstart='67'. Assuming you can explain this change, then
ACK.
Meanwhile, this file under examples/ differs from the text in
formatnwfilter.html.in which also defines a filter named no-ip-spoofing;
is that a discrepancy where the docs should be updated to accurately
describe what is our best state-of-the-art in the examples, or is it
something where we should just mention in the docs that the docs are
shorter versions for discussion, and to see examples/ for a more
complete version. But fixing that can be a separate patch.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 620 bytes)