3:05 p.m.
This patch simplifies the table rules by setting the protocol chains policy to
be "DROP" and removes the explicit "-j DROP" entries that the protocol
rules
had previously. It also makes "no-other-rarp-traffic.xml" obsolete.
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 8ef9a71..60301c9 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -14,7 +14,6 @@ FILTERS = \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
no-other-l2-traffic.xml \
- no-other-rarp-traffic.xml \
qemu-announce-self.xml \
qemu-announce-self-rarp.xml
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml
b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
<rule action='return' direction='out' priority='410' >
<arp match='yes' arpsrcipaddr='0.0.0.0' />
</rule>
- <!-- drop everything else -->
- <rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml
b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
<rule action='return' direction='out' priority='350' >
<arp match='yes' arpsrcmacaddr='$MAC'/>
</rule>
- <!-- drop everything else -->
- <rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml
b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
<rule action='return' direction='out'>
<ip match='yes' srcipaddr='$IP' />
</rule>
- <!-- drop any that don't match the source IP list -->
- <rule action='drop' direction='out' />
</filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml
b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
<rule action='return' direction='out' priority='350' >
<mac match='yes' srcmacaddr='$MAC'/>
</rule>
- <!-- drop everything else -->
- <rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml
b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..0000000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<filter name='no-other-rarp-traffic' chain='rarp'>
- <rule action='drop' direction='inout'
priority='1000'/>
-</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml
b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@
<!-- accept if it was changed to rarp -->
<filterref filter='qemu-announce-self-rarp'/>
- <filterref filter='no-other-rarp-traffic'/>
</filter>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index fa6f719..dc0ad2e 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2783,7 +2783,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
protostr[0] = '\0';
virBufferVSprintf(buf,
- CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
+ CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
CMD_EXEC
"%s"
CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
@@ -3006,14 +3006,6 @@ ebtablesApplyBasicRules(const char *ifname,
ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virBufferVSprintf(&buf,
- CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
- chain, macaddr_str,
- CMD_STOPONERR(1));
virBufferVSprintf(&buf,
CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT")
CMD_SEPARATOR