[libvirt] [PATCH V1 0/2] Add support for IP layer 4 protocol filtering
The 1st patch in this series extends the list of IP layer 4 protocol name-to-identifier translations. The 2nd patch closes a gap in the possibility to filter layer 4 protocols' layer 2 and 3 headers. This patch makes the 'iptables --protocol <protocol>' parameter accessible using an ipl4 XML node. Stefan
Extend the list of names of layer 4 protocols. They are used in translating names to IP layer 4 protocol IDs. I added strings for those protocols where Wikipedia mentions RFCs and a few others that seem to be used (pim, fc). http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers --- src/conf/nwfilter_conf.c | 57 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 8 deletions(-) Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -698,19 +698,60 @@ arpOpcodeFormatter(virBufferPtr buf, static const struct int_map ipProtoMap[] = { + INTMAP_ENTRY(0x0, "hopopt"), + INTMAP_ENTRY(IPPROTO_ICMP, "icmp"), + INTMAP_ENTRY(IPPROTO_IGMP, "igmp"), + INTMAP_ENTRY( 3, "ggp"), + INTMAP_ENTRY( 4, "ipv4"), + INTMAP_ENTRY( 5, "st"), INTMAP_ENTRY(IPPROTO_TCP, "tcp"), + INTMAP_ENTRY( 7, "cbt"), + INTMAP_ENTRY( 8, "egp"), + INTMAP_ENTRY( 11, "nvp"), INTMAP_ENTRY(IPPROTO_UDP, "udp"), -#ifdef IPPROTO_UDPLITE - INTMAP_ENTRY(IPPROTO_UDPLITE, "udplite"), -#endif + INTMAP_ENTRY( 20, "hmp"), + INTMAP_ENTRY( 27, "rdp"), + INTMAP_ENTRY( 28, "irtp"), + INTMAP_ENTRY( 29, "iso-tp4"), + INTMAP_ENTRY( 30, "netblt"), + INTMAP_ENTRY( 33, "dccp"), + INTMAP_ENTRY( 35, "idpr"), + INTMAP_ENTRY( 41, "ipv6"), + INTMAP_ENTRY( 42, "sdrp"), + INTMAP_ENTRY( 43, "ipv6-route"), + INTMAP_ENTRY( 44, "ipv6-frag"), + INTMAP_ENTRY( 46, "rsvp"), + INTMAP_ENTRY( 47, "gre"), INTMAP_ENTRY(IPPROTO_ESP, "esp"), INTMAP_ENTRY(IPPROTO_AH, "ah"), - INTMAP_ENTRY(IPPROTO_ICMP, "icmp"), - INTMAP_ENTRY(IPPROTO_IGMP, "igmp"), -#ifdef IPPROTO_SCTP - INTMAP_ENTRY(IPPROTO_SCTP, "sctp"), -#endif + INTMAP_ENTRY( 54, "narp"), + INTMAP_ENTRY( 55, "mobile"), + INTMAP_ENTRY( 57, "skip"), INTMAP_ENTRY(IPPROTO_ICMPV6, "icmpv6"), + INTMAP_ENTRY(IPPROTO_ICMPV6, "ipv6-icmp"), + INTMAP_ENTRY( 59, "ipv6-nonxt"), + INTMAP_ENTRY( 60, "ipv6-opts"), + INTMAP_ENTRY( 81, "vmtp"), + INTMAP_ENTRY( 82, "secure-vmtp"), + INTMAP_ENTRY( 89, "ospf"), + INTMAP_ENTRY( 97, "etherip"), + INTMAP_ENTRY( 98, "encap"), + INTMAP_ENTRY(103, "pim"), + INTMAP_ENTRY(108, "ipcomp"), + INTMAP_ENTRY(112, "vrrp"), + INTMAP_ENTRY(113, "pgm"), + INTMAP_ENTRY(115, "l2tp"), + INTMAP_ENTRY(132, "sctp"), + INTMAP_ENTRY(133, "fc"), + INTMAP_ENTRY(134, "rsvp-e2e-ignore"), + INTMAP_ENTRY(135, "mobility-header"), + INTMAP_ENTRY(136, "udplite"), + INTMAP_ENTRY(137, "mpls-in-ip"), + INTMAP_ENTRY(138, "manet"), + INTMAP_ENTRY(139, "hip"), + INTMAP_ENTRY(140, "shim6"), + INTMAP_ENTRY(141, "wesp"), + INTMAP_ENTRY(142, "rohc"), INTMAP_ENTRY_LAST };
On 09/10/2012 12:58 PM, Stefan Berger wrote: Did anyone have time to look at these 2 patches ? Stefan
This patch introduces a new ipl4 XML node for filtering of IP layer 4 protocols and their common layer 3 and 2 parameters. Also extend the XML schema, add documentation and test cases. The test cases are also used for TCK test cases. --- docs/formatnwfilter.html.in | 184 +++++++++++++++++++++++++++- docs/schemas/nwfilter.rng | 24 +++ src/conf/nwfilter_conf.c | 64 ++++++++- src/conf/nwfilter_conf.h | 9 + src/nwfilter/nwfilter_ebiptables_driver.c | 39 +++++ tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml | 19 ++ tests/nwfilterxml2xmlin/ipl4-test.xml | 18 ++ tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml | 12 + tests/nwfilterxml2xmlout/ipl4-test.xml | 12 + tests/nwfilterxml2xmltest.c | 2 10 files changed, 372 insertions(+), 11 deletions(-) Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -108,6 +108,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V "ah", "sctp", "all", + "ipl4", "tcp-ipv6", "icmpv6", "udp-ipv6", @@ -115,7 +116,8 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V "esp-ipv6", "ah-ipv6", "sctp-ipv6", - "all-ipv6"); + "all-ipv6", + "ipl4-ipv6"); /* @@ -759,8 +761,8 @@ static const struct int_map ipProtoMap[] static bool checkIPProtocolID(enum attrDatatype datatype, union data *value, - virNWFilterRuleDefPtr nwf, - nwItemDesc *item ATTRIBUTE_UNUSED) + virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED, + nwItemDesc *item) { int32_t res = -1; @@ -774,8 +776,8 @@ checkIPProtocolID(enum attrDatatype data } if (res != -1) { - nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8 = res; - nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype = datatype; + item->u.u8 = res; + item->datatype = datatype; return true; } return false; @@ -784,21 +786,21 @@ checkIPProtocolID(enum attrDatatype data static bool formatIPProtocolID(virBufferPtr buf, - virNWFilterRuleDefPtr nwf, - nwItemDesc *item ATTRIBUTE_UNUSED) + virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED, + nwItemDesc *item) { const char *str = NULL; bool asHex = true; if (intMapGetByInt(ipProtoMap, - nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8, + item->u.u8, &str) == 0) { virBufferAdd(buf, str, -1); } else { - if (nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype == DATATYPE_UINT8) + if (item->datatype == DATATYPE_UINT8) asHex = false; virBufferAsprintf(buf, asHex ? "0x%x" : "%d", - nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8); + item->u.u8); } return true; } @@ -1677,6 +1679,20 @@ static const virXMLAttr2Struct allAttrib } }; +static const virXMLAttr2Struct ipl4Attributes[] = { + COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK), + { + .name = "protocol", + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING, + .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID), + .validator= checkIPProtocolID, + .formatter= formatIPProtocolID, + }, + COMMENT_PROP_IPHDR(ipl4HdrFilter), + { + .name = NULL, + } +}; static const virXMLAttr2Struct igmpAttributes[] = { COMMON_IP_PROPS(igmpHdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK), @@ -1775,6 +1791,20 @@ static const virXMLAttr2Struct allipv6At } }; +static const virXMLAttr2Struct ipl4ipv6Attributes[] = { + COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPV6ADDR, DATATYPE_IPV6MASK), + { + .name = "protocol", + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING, + .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID), + .validator= checkIPProtocolID, + .formatter= formatIPProtocolID, + }, + COMMENT_PROP_IPHDR(ipl4HdrFilter), + { + .name = NULL, + } +}; typedef struct _virAttributes virAttributes; struct _virAttributes { @@ -1804,6 +1834,7 @@ static const virAttributes virAttr[] = { PROTOCOL_ENTRY("sctp" , sctpAttributes , VIR_NWFILTER_RULE_PROTOCOL_SCTP), PROTOCOL_ENTRY("icmp" , icmpAttributes , VIR_NWFILTER_RULE_PROTOCOL_ICMP), PROTOCOL_ENTRY("all" , allAttributes , VIR_NWFILTER_RULE_PROTOCOL_ALL), + PROTOCOL_ENTRY("ipl4" , ipl4Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPL4), PROTOCOL_ENTRY("igmp" , igmpAttributes , VIR_NWFILTER_RULE_PROTOCOL_IGMP), PROTOCOL_ENTRY("tcp-ipv6" , tcpipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6), PROTOCOL_ENTRY("udp-ipv6" , udpipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6), @@ -1813,6 +1844,7 @@ static const virAttributes virAttr[] = { PROTOCOL_ENTRY("sctp-ipv6" , sctpipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6), PROTOCOL_ENTRY("icmpv6" , icmpv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_ICMPV6), PROTOCOL_ENTRY("all-ipv6" , allipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6), + PROTOCOL_ENTRY("ipl4-ipv6" , ipl4ipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6), PROTOCOL_ENTRY_LAST }; @@ -2313,6 +2345,18 @@ virNWFilterRuleDefFixup(virNWFilterRuleD rule->p.allHdrFilter.ipHdr.dataDstIPFrom); break; + case VIR_NWFILTER_RULE_PROTOCOL_IPL4: + case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6: + COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPMask, + rule->p.ipl4HdrFilter.ipHdr.dataSrcIPAddr); + COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPMask, + rule->p.ipl4HdrFilter.ipHdr.dataDstIPAddr); + COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPTo, + rule->p.ipl4HdrFilter.ipHdr.dataSrcIPFrom); + COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPTo, + rule->p.ipl4HdrFilter.ipHdr.dataDstIPFrom); + break; + case VIR_NWFILTER_RULE_PROTOCOL_IGMP: COPY_NEG_SIGN(rule->p.igmpHdrFilter.ipHdr.dataSrcIPMask, rule->p.igmpHdrFilter.ipHdr.dataSrcIPAddr); Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -284,6 +284,12 @@ struct _allHdrFilterDef { ipHdrDataDef ipHdr; }; +typedef struct _ipl4HdrFilterDef ipl4HdrFilterDef; +typedef ipl4HdrFilterDef *ipl4HdrFilterDefPtr; +struct _ipl4HdrFilterDef { + nwItemDesc dataSrcMACAddr; + ipHdrDataDef ipHdr; +}; typedef struct _igmpHdrFilterDef igmpHdrFilterDef; typedef igmpHdrFilterDef *igmpHdrFilterDefPtr; @@ -389,6 +395,7 @@ enum virNWFilterRuleProtocolType { VIR_NWFILTER_RULE_PROTOCOL_AH, VIR_NWFILTER_RULE_PROTOCOL_SCTP, VIR_NWFILTER_RULE_PROTOCOL_ALL, + VIR_NWFILTER_RULE_PROTOCOL_IPL4, VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6, VIR_NWFILTER_RULE_PROTOCOL_ICMPV6, VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6, @@ -397,6 +404,7 @@ enum virNWFilterRuleProtocolType { VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6, VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6, VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6, + VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6, VIR_NWFILTER_RULE_PROTOCOL_LAST }; @@ -469,6 +477,7 @@ struct _virNWFilterRuleDef { espHdrFilterDef espHdrFilter; ahHdrFilterDef ahHdrFilter; allHdrFilterDef allHdrFilter; + ipl4HdrFilterDef ipl4HdrFilter; igmpHdrFilterDef igmpHdrFilter; sctpHdrFilterDef sctpHdrFilter; } p; Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1633,6 +1633,43 @@ _iptablesCreateRuleInstance(int directio break; + case VIR_NWFILTER_RULE_PROTOCOL_IPL4: + case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6: + virBufferAsprintf(&buf, + CMD_DEF_PRE "$IPT -%%c %s %%s", + chain); + + if (HAS_ENTRY_ITEM(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID)) { + if (printDataTypeAsHex(vars, + number, sizeof(number), + &rule->p.ipl4HdrFilter.ipHdr.dataProtocolID) < 0) + goto err_exit; + virBufferAsprintf(&buf, + " -p %s %s", + ENTRY_GET_NEG_SIGN(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID), + number); + } + + bufUsed = virBufferUse(&buf); + + if (iptablesHandleSrcMacAddr(&buf, + vars, + &rule->p.ipl4HdrFilter.dataSrcMACAddr, + directionIn, + &srcMacSkipped) < 0) + goto err_exit; + + if (iptablesHandleIpHdr(&buf, + &afterStateMatch, + vars, + &rule->p.ipl4HdrFilter.ipHdr, + directionIn, + &skipRule, &skipMatch, + &prefix) < 0) + goto err_exit; + + break; + default: return -1; } @@ -2656,6 +2693,7 @@ ebiptablesCreateRuleInstance(enum virDom case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_IGMP: case VIR_NWFILTER_RULE_PROTOCOL_ALL: + case VIR_NWFILTER_RULE_PROTOCOL_IPL4: isIPv6 = 0; rc = iptablesCreateRuleInstance(nwfilter, rule, @@ -2673,6 +2711,7 @@ ebiptablesCreateRuleInstance(enum virDom case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: + case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6: isIPv6 = 1; rc = iptablesCreateRuleInstance(nwfilter, rule, Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -167,6 +167,18 @@ </optional> <optional> <zeroOrMore> + <element name="ipl4"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + <ref name="ip-attributes"/> + <ref name="comment-attribute"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> <element name="esp"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> @@ -257,6 +269,18 @@ <ref name="comment-attribute"/> </element> </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="ipl4-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + <ref name="ip-attributes"/> + <ref name="comment-attribute"/> + </element> + </zeroOrMore> </optional> <optional> <zeroOrMore> Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2' protocol='254'/> + </rule> + <rule action='accept' direction='in'> + <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' protocol='udp'/> + </rule> + <rule action='accept' direction='in'> + <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33' protocol='tcp'/> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ipl4 srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' protocol='254'/> + </rule> + <rule action='accept' direction='in'> + <ipl4 srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' protocol='udp'/> + </rule> + <rule action='accept' direction='in'> + <ipl4 srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' protocol='tcp'/> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml @@ -0,0 +1,12 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out' priority='500'> + <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='f:e:d::c:b:a' srcipmask='127' dstipaddr='a:b:c::d:e:f' dstipmask='128' dscp='2' protocol='254'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='a:b:c::' srcipmask='128' dscp='33' protocol='udp'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='::10.1.2.3' dscp='33' protocol='tcp'/> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml @@ -0,0 +1,12 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out' priority='500'> + <ipl4 srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2' protocol='254'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='22' dscp='33' protocol='udp'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='22' dscp='33' protocol='tcp'/> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmltest.c =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmltest.c +++ libvirt-acl/tests/nwfilterxml2xmltest.c @@ -124,6 +124,7 @@ mymain(void) DO_TEST("esp-test", false); DO_TEST("ah-test", false); DO_TEST("all-test", false); + DO_TEST("ipl4-test", false); DO_TEST("tcp-ipv6-test", true); DO_TEST("udp-ipv6-test", true); @@ -133,6 +134,7 @@ mymain(void) DO_TEST("esp-ipv6-test", true); DO_TEST("ah-ipv6-test", true); DO_TEST("all-ipv6-test", true); + DO_TEST("ipl4-ipv6-test", true); DO_TEST("ref-test", false); DO_TEST("ref-rule-test", false); Index: libvirt-acl/docs/formatnwfilter.html.in =================================================================== --- libvirt-acl.orig/docs/formatnwfilter.html.in +++ libvirt-acl/docs/formatnwfilter.html.in @@ -1066,7 +1066,7 @@ <tr> <td>protocol</td> <td>UINT8, STRING</td> - <td>Layer 4 protocol identifier</td> + <td>Layer 4 protocol identifier; names of the most common protocols are supported (see 1st column in /etc/protocols)</td> </tr> <tr> <td>srcportstart</td> @@ -1510,6 +1510,97 @@ <br/><br/> </p> + <h5><a name="nwfelemsRulesProtoIPl4">IPL4</a> + <span class="since">(Since 0.10.2)</span> + </h5> + <p> + Protocol ID: ipl4; the protocol ID is provided through the protocolid + attribute + <br/> + Note: The chain parameter is ignored for this type of traffic + and should either be omitted or set to <code>root</code>. + </p> + <table class="top_table"> + <tr> + <th> Attribute </th> + <th> Datatype </th> + <th> Semantics </th> + </tr> + <tr> + <td>srcmacaddr</td> + <td>MAC_ADDR</td> + <td>MAC address of sender</td> + </tr> + <tr> + <td>protocolid</td> + <td>UINT8, STRING</td> + <td>Layer 4 protocol ID; names of the most common protocols are supported (see 1st column in /etc/protocols)</td> + </tr> + <tr> + <td>srcipaddr</td> + <td>IP_ADDR</td> + <td>Source IP address</td> + </tr> + <tr> + <td>srcipmask</td> + <td>IP_MASK</td> + <td>Mask applied to source IP address</td> + </tr> + <tr> + <td>dstipaddr</td> + <td>IP_ADDR</td> + <td>Destination IP address</td> + </tr> + <tr> + <td>dstipmask</td> + <td>IP_MASK</td> + <td>Mask applied to destination IP address</td> + </tr> + <tr> + <td>srcipfrom</td> + <td>IP_ADDR</td> + <td>Start of range of source IP address</td> + </tr> + <tr> + <td>srcipto</td> + <td>IP_ADDR</td> + <td>End of range of source IP address</td> + </tr> + <tr> + <td>dstipfrom</td> + <td>IP_ADDR</td> + <td>Start of range of destination IP address</td> + </tr> + <tr> + <td>dstipto</td> + <td>IP_ADDR</td> + <td>End of range of destination IP address</td> + </tr> + <tr> + <td>comment</td> + <td>STRING</td> + <td>text with max. 256 characters</td> + </tr> + <tr> + <td>state</td> + <td>STRING</td> + <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td> + </tr> + <tr> + <td>ipset</td> + <td>STRING</td> + <td>The name of an IPSet managed outside of libvirt</td> + </tr> + <tr> + <td>ipsetflags</td> + <td>IPSETFLAGS</td> + <td>flags for the IPSet; requires ipset attribute</td> + </tr> + </table> + <p> + <br/><br/> + </p> + <h5><a name="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5> <p> @@ -1796,6 +1887,97 @@ <td>IPSETFLAGS</td> <td>flags for the IPSet; requires ipset attribute</td> </tr> + </table> + <p> + <br/><br/> + </p> + + <h5><a name="nwfelemsRulesProtoIPl4v6">IPL4 over IPv6</a> + <span class="since">(Since 0.10.2)</span> + </h5> + <p> + Protocol ID: ipl4; the protocol ID is provided through the protocolid + attribute + <br/> + Note: The chain parameter is ignored for this type of traffic + and should either be omitted or set to <code>root</code>. + </p> + <table class="top_table"> + <tr> + <th> Attribute </th> + <th> Datatype </th> + <th> Semantics </th> + </tr> + <tr> + <td>srcmacaddr</td> + <td>MAC_ADDR</td> + <td>MAC address of sender</td> + </tr> + <tr> + <td>protocolid</td> + <td>UINT8, STRING</td> + <td>Layer 4 protocol ID</td> + </tr> + <tr> + <td>srcipaddr</td> + <td>IP_ADDR</td> + <td>Source IP address</td> + </tr> + <tr> + <td>srcipmask</td> + <td>IP_MASK</td> + <td>Mask applied to source IP address</td> + </tr> + <tr> + <td>dstipaddr</td> + <td>IP_ADDR</td> + <td>Destination IP address</td> + </tr> + <tr> + <td>dstipmask</td> + <td>IP_MASK</td> + <td>Mask applied to destination IP address</td> + </tr> + <tr> + <td>srcipfrom</td> + <td>IP_ADDR</td> + <td>Start of range of source IP address</td> + </tr> + <tr> + <td>srcipto</td> + <td>IP_ADDR</td> + <td>End of range of source IP address</td> + </tr> + <tr> + <td>dstipfrom</td> + <td>IP_ADDR</td> + <td>Start of range of destination IP address</td> + </tr> + <tr> + <td>dstipto</td> + <td>IP_ADDR</td> + <td>End of range of destination IP address</td> + </tr> + <tr> + <td>comment</td> + <td>STRING</td> + <td>text with max. 256 characters</td> + </tr> + <tr> + <td>state</td> + <td>STRING</td> + <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td> + </tr> + <tr> + <td>ipset</td> + <td>STRING</td> + <td>The name of an IPSet managed outside of libvirt</td> + </tr> + <tr> + <td>ipsetflags</td> + <td>IPSETFLAGS</td> + <td>flags for the IPSet; requires ipset attribute</td> + </tr> </table> <p> <br/><br/>
participants (1)
-
Stefan Berger