10:50 a.m.
On 10/12/2011 03:50 PM, David L Stevens wrote:
This patch simplifies the table rules by setting the protocol
chains
policy to be "DROP" and removes the explicit "-j DROP" entries that
the
protocol rules had previously. It also makes "no-other-rarp-traffic.xml"
obsolete.
I agree with Daniel's previous comments that this could introduce
compatibility problems. It would be best not to change it or if really
need be later on introduce an XML attribute for a chain that allows to
choose whether the default policy is accept or drop.
Stefan
Signed-off-by: David L Stevens<dlstevens(a)us.ibm.com>
---
examples/xml/nwfilter/Makefile.am | 1 -
examples/xml/nwfilter/no-arpip-spoofing.xml | 2 --
examples/xml/nwfilter/no-arpmac-spoofing.xml | 2 --
examples/xml/nwfilter/no-ip-spoofing.xml | 2 --
examples/xml/nwfilter/no-mac-spoofing.xml | 2 --
examples/xml/nwfilter/no-other-rarp-traffic.xml | 3 ---
examples/xml/nwfilter/qemu-announce-self.xml | 1 -
src/nwfilter/nwfilter_ebiptables_driver.c | 11 +----------
8 files changed, 1 insertions(+), 23 deletions(-)
delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 84aaa3c..67085fa 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -18,7 +18,6 @@ FILTERS = \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
no-other-l2-traffic.xml \
- no-other-rarp-traffic.xml \
qemu-announce-self.xml \
qemu-announce-self-rarp.xml
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml
b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
<rule action='return' direction='out' priority='410'>
<arp match='yes' arpsrcipaddr='0.0.0.0' />
</rule>
-<!-- drop everything else -->
-<rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml
b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
<rule action='return' direction='out' priority='350'>
<arp match='yes' arpsrcmacaddr='$MAC'/>
</rule>
-<!-- drop everything else -->
-<rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml
b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
<rule action='return' direction='out'>
<ip match='yes' srcipaddr='$IP' />
</rule>
-<!-- drop any that don't match the source IP list -->
-<rule action='drop' direction='out' />
</filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml
b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
<rule action='return' direction='out' priority='350'>
<mac match='yes' srcmacaddr='$MAC'/>
</rule>
-<!-- drop everything else -->
-<rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml
b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..0000000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<filter name='no-other-rarp-traffic' chain='rarp'>
-<rule action='drop' direction='inout' priority='1000'/>
-</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml
b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@
<!-- accept if it was changed to rarp -->
<filterref filter='qemu-announce-self-rarp'/>
-<filterref filter='no-other-rarp-traffic'/>
</filter>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 3c6fca7..e6a4880 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2791,7 +2791,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
protostr[0] = '\0';
virBufferAsprintf(buf,
- CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
+ CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
CMD_EXEC
"%s"
CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
@@ -3015,15 +3015,6 @@ ebtablesApplyBasicRules(const char *ifname,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(&buf,
- CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
- chain, macaddr_str,
- CMD_STOPONERR(1));
-
- virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT")
CMD_SEPARATOR
CMD_EXEC
"%s",