11:58 a.m.
The 1st patch in this series extends the list of IP layer 4 protocol
name-to-identifier translations.
The 2nd patch closes a gap in the possibility to filter layer 4 protocols'
layer 2 and 3 headers. This patch makes the 'iptables --protocol
<protocol>'
parameter accessible using an ipl4 XML node.
Stefan
11:58 a.m.
New subject: [libvirt] [PATCH V1 1/2] nwfilter: Add names for more l4 protocols
Extend the list of names of layer 4 protocols. They are used in translating
names to IP layer 4 protocol IDs.
I added strings for those protocols where Wikipedia mentions RFCs and
a few others that seem to be used (pim, fc).
http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
---
src/conf/nwfilter_conf.c | 57 ++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 49 insertions(+), 8 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -698,19 +698,60 @@ arpOpcodeFormatter(virBufferPtr buf,
static const struct int_map ipProtoMap[] = {
+ INTMAP_ENTRY(0x0, "hopopt"),
+ INTMAP_ENTRY(IPPROTO_ICMP, "icmp"),
+ INTMAP_ENTRY(IPPROTO_IGMP, "igmp"),
+ INTMAP_ENTRY( 3, "ggp"),
+ INTMAP_ENTRY( 4, "ipv4"),
+ INTMAP_ENTRY( 5, "st"),
INTMAP_ENTRY(IPPROTO_TCP, "tcp"),
+ INTMAP_ENTRY( 7, "cbt"),
+ INTMAP_ENTRY( 8, "egp"),
+ INTMAP_ENTRY( 11, "nvp"),
INTMAP_ENTRY(IPPROTO_UDP, "udp"),
-#ifdef IPPROTO_UDPLITE
- INTMAP_ENTRY(IPPROTO_UDPLITE, "udplite"),
-#endif
+ INTMAP_ENTRY( 20, "hmp"),
+ INTMAP_ENTRY( 27, "rdp"),
+ INTMAP_ENTRY( 28, "irtp"),
+ INTMAP_ENTRY( 29, "iso-tp4"),
+ INTMAP_ENTRY( 30, "netblt"),
+ INTMAP_ENTRY( 33, "dccp"),
+ INTMAP_ENTRY( 35, "idpr"),
+ INTMAP_ENTRY( 41, "ipv6"),
+ INTMAP_ENTRY( 42, "sdrp"),
+ INTMAP_ENTRY( 43, "ipv6-route"),
+ INTMAP_ENTRY( 44, "ipv6-frag"),
+ INTMAP_ENTRY( 46, "rsvp"),
+ INTMAP_ENTRY( 47, "gre"),
INTMAP_ENTRY(IPPROTO_ESP, "esp"),
INTMAP_ENTRY(IPPROTO_AH, "ah"),
- INTMAP_ENTRY(IPPROTO_ICMP, "icmp"),
- INTMAP_ENTRY(IPPROTO_IGMP, "igmp"),
-#ifdef IPPROTO_SCTP
- INTMAP_ENTRY(IPPROTO_SCTP, "sctp"),
-#endif
+ INTMAP_ENTRY( 54, "narp"),
+ INTMAP_ENTRY( 55, "mobile"),
+ INTMAP_ENTRY( 57, "skip"),
INTMAP_ENTRY(IPPROTO_ICMPV6, "icmpv6"),
+ INTMAP_ENTRY(IPPROTO_ICMPV6, "ipv6-icmp"),
+ INTMAP_ENTRY( 59, "ipv6-nonxt"),
+ INTMAP_ENTRY( 60, "ipv6-opts"),
+ INTMAP_ENTRY( 81, "vmtp"),
+ INTMAP_ENTRY( 82, "secure-vmtp"),
+ INTMAP_ENTRY( 89, "ospf"),
+ INTMAP_ENTRY( 97, "etherip"),
+ INTMAP_ENTRY( 98, "encap"),
+ INTMAP_ENTRY(103, "pim"),
+ INTMAP_ENTRY(108, "ipcomp"),
+ INTMAP_ENTRY(112, "vrrp"),
+ INTMAP_ENTRY(113, "pgm"),
+ INTMAP_ENTRY(115, "l2tp"),
+ INTMAP_ENTRY(132, "sctp"),
+ INTMAP_ENTRY(133, "fc"),
+ INTMAP_ENTRY(134, "rsvp-e2e-ignore"),
+ INTMAP_ENTRY(135, "mobility-header"),
+ INTMAP_ENTRY(136, "udplite"),
+ INTMAP_ENTRY(137, "mpls-in-ip"),
+ INTMAP_ENTRY(138, "manet"),
+ INTMAP_ENTRY(139, "hip"),
+ INTMAP_ENTRY(140, "shim6"),
+ INTMAP_ENTRY(141, "wesp"),
+ INTMAP_ENTRY(142, "rohc"),
INTMAP_ENTRY_LAST
};
5:22 a.m.
New subject: [libvirt] [PATCH V1 1/2] nwfilter: Add names for more l4 protocols
On 09/10/2012 12:58 PM, Stefan Berger wrote:
Did anyone have time to look at these 2 patches ?
Stefan
11:58 a.m.
New subject: [libvirt] [PATCH V1 2/2] nwfilter: Add filtering for IP layer 4 protocols
This patch introduces a new ipl4 XML node for filtering of IP layer 4
protocols and their common layer 3 and 2 parameters.
Also extend the XML schema, add documentation and test cases. The test cases
are also used for TCK test cases.
---
docs/formatnwfilter.html.in | 184 +++++++++++++++++++++++++++-
docs/schemas/nwfilter.rng | 24 +++
src/conf/nwfilter_conf.c | 64 ++++++++-
src/conf/nwfilter_conf.h | 9 +
src/nwfilter/nwfilter_ebiptables_driver.c | 39 +++++
tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml | 19 ++
tests/nwfilterxml2xmlin/ipl4-test.xml | 18 ++
tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml | 12 +
tests/nwfilterxml2xmlout/ipl4-test.xml | 12 +
tests/nwfilterxml2xmltest.c | 2
10 files changed, 372 insertions(+), 11 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -108,6 +108,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
"ah",
"sctp",
"all",
+ "ipl4",
"tcp-ipv6",
"icmpv6",
"udp-ipv6",
@@ -115,7 +116,8 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
"esp-ipv6",
"ah-ipv6",
"sctp-ipv6",
- "all-ipv6");
+ "all-ipv6",
+ "ipl4-ipv6");
/*
@@ -759,8 +761,8 @@ static const struct int_map ipProtoMap[]
static bool
checkIPProtocolID(enum attrDatatype datatype,
union data *value,
- virNWFilterRuleDefPtr nwf,
- nwItemDesc *item ATTRIBUTE_UNUSED)
+ virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
+ nwItemDesc *item)
{
int32_t res = -1;
@@ -774,8 +776,8 @@ checkIPProtocolID(enum attrDatatype data
}
if (res != -1) {
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8 = res;
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype = datatype;
+ item->u.u8 = res;
+ item->datatype = datatype;
return true;
}
return false;
@@ -784,21 +786,21 @@ checkIPProtocolID(enum attrDatatype data
static bool
formatIPProtocolID(virBufferPtr buf,
- virNWFilterRuleDefPtr nwf,
- nwItemDesc *item ATTRIBUTE_UNUSED)
+ virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
+ nwItemDesc *item)
{
const char *str = NULL;
bool asHex = true;
if (intMapGetByInt(ipProtoMap,
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8,
+ item->u.u8,
&str) == 0) {
virBufferAdd(buf, str, -1);
} else {
- if (nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype == DATATYPE_UINT8)
+ if (item->datatype == DATATYPE_UINT8)
asHex = false;
virBufferAsprintf(buf, asHex ? "0x%x" : "%d",
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8);
+ item->u.u8);
}
return true;
}
@@ -1677,6 +1679,20 @@ static const virXMLAttr2Struct allAttrib
}
};
+static const virXMLAttr2Struct ipl4Attributes[] = {
+ COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK),
+ {
+ .name = "protocol",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID),
+ .validator= checkIPProtocolID,
+ .formatter= formatIPProtocolID,
+ },
+ COMMENT_PROP_IPHDR(ipl4HdrFilter),
+ {
+ .name = NULL,
+ }
+};
static const virXMLAttr2Struct igmpAttributes[] = {
COMMON_IP_PROPS(igmpHdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK),
@@ -1775,6 +1791,20 @@ static const virXMLAttr2Struct allipv6At
}
};
+static const virXMLAttr2Struct ipl4ipv6Attributes[] = {
+ COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPV6ADDR, DATATYPE_IPV6MASK),
+ {
+ .name = "protocol",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID),
+ .validator= checkIPProtocolID,
+ .formatter= formatIPProtocolID,
+ },
+ COMMENT_PROP_IPHDR(ipl4HdrFilter),
+ {
+ .name = NULL,
+ }
+};
typedef struct _virAttributes virAttributes;
struct _virAttributes {
@@ -1804,6 +1834,7 @@ static const virAttributes virAttr[] = {
PROTOCOL_ENTRY("sctp" , sctpAttributes ,
VIR_NWFILTER_RULE_PROTOCOL_SCTP),
PROTOCOL_ENTRY("icmp" , icmpAttributes ,
VIR_NWFILTER_RULE_PROTOCOL_ICMP),
PROTOCOL_ENTRY("all" , allAttributes ,
VIR_NWFILTER_RULE_PROTOCOL_ALL),
+ PROTOCOL_ENTRY("ipl4" , ipl4Attributes ,
VIR_NWFILTER_RULE_PROTOCOL_IPL4),
PROTOCOL_ENTRY("igmp" , igmpAttributes ,
VIR_NWFILTER_RULE_PROTOCOL_IGMP),
PROTOCOL_ENTRY("tcp-ipv6" , tcpipv6Attributes ,
VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6),
PROTOCOL_ENTRY("udp-ipv6" , udpipv6Attributes ,
VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6),
@@ -1813,6 +1844,7 @@ static const virAttributes virAttr[] = {
PROTOCOL_ENTRY("sctp-ipv6" , sctpipv6Attributes ,
VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6),
PROTOCOL_ENTRY("icmpv6" , icmpv6Attributes ,
VIR_NWFILTER_RULE_PROTOCOL_ICMPV6),
PROTOCOL_ENTRY("all-ipv6" , allipv6Attributes ,
VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6),
+ PROTOCOL_ENTRY("ipl4-ipv6" , ipl4ipv6Attributes ,
VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6),
PROTOCOL_ENTRY_LAST
};
@@ -2313,6 +2345,18 @@ virNWFilterRuleDefFixup(virNWFilterRuleD
rule->p.allHdrFilter.ipHdr.dataDstIPFrom);
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.ipl4HdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPMask,
+ rule->p.ipl4HdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.ipl4HdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPTo,
+ rule->p.ipl4HdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
COPY_NEG_SIGN(rule->p.igmpHdrFilter.ipHdr.dataSrcIPMask,
rule->p.igmpHdrFilter.ipHdr.dataSrcIPAddr);
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -284,6 +284,12 @@ struct _allHdrFilterDef {
ipHdrDataDef ipHdr;
};
+typedef struct _ipl4HdrFilterDef ipl4HdrFilterDef;
+typedef ipl4HdrFilterDef *ipl4HdrFilterDefPtr;
+struct _ipl4HdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
typedef struct _igmpHdrFilterDef igmpHdrFilterDef;
typedef igmpHdrFilterDef *igmpHdrFilterDefPtr;
@@ -389,6 +395,7 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_AH,
VIR_NWFILTER_RULE_PROTOCOL_SCTP,
VIR_NWFILTER_RULE_PROTOCOL_ALL,
+ VIR_NWFILTER_RULE_PROTOCOL_IPL4,
VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6,
VIR_NWFILTER_RULE_PROTOCOL_ICMPV6,
VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6,
@@ -397,6 +404,7 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6,
VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6,
VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6,
+ VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6,
VIR_NWFILTER_RULE_PROTOCOL_LAST
};
@@ -469,6 +477,7 @@ struct _virNWFilterRuleDef {
espHdrFilterDef espHdrFilter;
ahHdrFilterDef ahHdrFilter;
allHdrFilterDef allHdrFilter;
+ ipl4HdrFilterDef ipl4HdrFilter;
igmpHdrFilterDef igmpHdrFilter;
sctpHdrFilterDef sctpHdrFilter;
} p;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1633,6 +1633,43 @@ _iptablesCreateRuleInstance(int directio
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
+ virBufferAsprintf(&buf,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
+ chain);
+
+ if (HAS_ENTRY_ITEM(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID)) {
+ if (printDataTypeAsHex(vars,
+ number, sizeof(number),
+ &rule->p.ipl4HdrFilter.ipHdr.dataProtocolID)
< 0)
+ goto err_exit;
+ virBufferAsprintf(&buf,
+ " -p %s %s",
+
ENTRY_GET_NEG_SIGN(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID),
+ number);
+ }
+
+ bufUsed = virBufferUse(&buf);
+
+ if (iptablesHandleSrcMacAddr(&buf,
+ vars,
+ &rule->p.ipl4HdrFilter.dataSrcMACAddr,
+ directionIn,
+ &srcMacSkipped) < 0)
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
+ vars,
+ &rule->p.ipl4HdrFilter.ipHdr,
+ directionIn,
+ &skipRule, &skipMatch,
+ &prefix) < 0)
+ goto err_exit;
+
+ break;
+
default:
return -1;
}
@@ -2656,6 +2693,7 @@ ebiptablesCreateRuleInstance(enum virDom
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
case VIR_NWFILTER_RULE_PROTOCOL_ALL:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
isIPv6 = 0;
rc = iptablesCreateRuleInstance(nwfilter,
rule,
@@ -2673,6 +2711,7 @@ ebiptablesCreateRuleInstance(enum virDom
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
isIPv6 = 1;
rc = iptablesCreateRuleInstance(nwfilter,
rule,
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -167,6 +167,18 @@
</optional>
<optional>
<zeroOrMore>
+ <element name="ipl4">
+ <ref name="match-attribute"/>
+ <ref name="srcmac-attribute"/>
+ <ref name="common-ip-attributes-p1"/>
+ <ref name="common-ip-attributes-p2"/>
+ <ref name="ip-attributes"/>
+ <ref name="comment-attribute"/>
+ </element>
+ </zeroOrMore>
+ </optional>
+ <optional>
+ <zeroOrMore>
<element name="esp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
@@ -257,6 +269,18 @@
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
+ </optional>
+ <optional>
+ <zeroOrMore>
+ <element name="ipl4-ipv6">
+ <ref name="match-attribute"/>
+ <ref name="srcmac-attribute"/>
+ <ref name="common-ipv6-attributes-p1"/>
+ <ref name="common-ipv6-attributes-p2"/>
+ <ref name="ip-attributes"/>
+ <ref name="comment-attribute"/>
+ </element>
+ </zeroOrMore>
</optional>
<optional>
<zeroOrMore>
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml
@@ -0,0 +1,19 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='129'
+ dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml
@@ -0,0 +1,18 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ipl4 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='f:e:d::c:b:a'
srcipmask='127' dstipaddr='a:b:c::d:e:f' dstipmask='128'
dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='a:b:c::'
srcipmask='128' dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='::10.1.2.3'
dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <ipl4 srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3'
dstipmask='32' dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3'
srcipmask='22' dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3'
srcipmask='22' dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmltest.c
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmltest.c
+++ libvirt-acl/tests/nwfilterxml2xmltest.c
@@ -124,6 +124,7 @@ mymain(void)
DO_TEST("esp-test", false);
DO_TEST("ah-test", false);
DO_TEST("all-test", false);
+ DO_TEST("ipl4-test", false);
DO_TEST("tcp-ipv6-test", true);
DO_TEST("udp-ipv6-test", true);
@@ -133,6 +134,7 @@ mymain(void)
DO_TEST("esp-ipv6-test", true);
DO_TEST("ah-ipv6-test", true);
DO_TEST("all-ipv6-test", true);
+ DO_TEST("ipl4-ipv6-test", true);
DO_TEST("ref-test", false);
DO_TEST("ref-rule-test", false);
Index: libvirt-acl/docs/formatnwfilter.html.in
===================================================================
--- libvirt-acl.orig/docs/formatnwfilter.html.in
+++ libvirt-acl/docs/formatnwfilter.html.in
@@ -1066,7 +1066,7 @@
<tr>
<td>protocol</td>
<td>UINT8, STRING</td>
- <td>Layer 4 protocol identifier</td>
+ <td>Layer 4 protocol identifier; names of the most common protocols are
supported (see 1st column in /etc/protocols)</td>
</tr>
<tr>
<td>srcportstart</td>
@@ -1510,6 +1510,97 @@
<br/><br/>
</p>
+ <h5><a name="nwfelemsRulesProtoIPl4">IPL4</a>
+ <span class="since">(Since 0.10.2)</span>
+ </h5>
+ <p>
+ Protocol ID: ipl4; the protocol ID is provided through the protocolid
+ attribute
+ <br/>
+ Note: The chain parameter is ignored for this type of traffic
+ and should either be omitted or set to <code>root</code>.
+ </p>
+ <table class="top_table">
+ <tr>
+ <th> Attribute </th>
+ <th> Datatype </th>
+ <th> Semantics </th>
+ </tr>
+ <tr>
+ <td>srcmacaddr</td>
+ <td>MAC_ADDR</td>
+ <td>MAC address of sender</td>
+ </tr>
+ <tr>
+ <td>protocolid</td>
+ <td>UINT8, STRING</td>
+ <td>Layer 4 protocol ID; names of the most common protocols are supported
(see 1st column in /etc/protocols)</td>
+ </tr>
+ <tr>
+ <td>srcipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to destination IP address</td>
+ </tr>
+ <tr>
+ <td>srcipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>comment</td>
+ <td>STRING</td>
+ <td>text with max. 256 characters</td>
+ </tr>
+ <tr>
+ <td>state</td>
+ <td>STRING</td>
+ <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or
NONE</td>
+ </tr>
+ <tr>
+ <td>ipset</td>
+ <td>STRING</td>
+ <td>The name of an IPSet managed outside of libvirt</td>
+ </tr>
+ <tr>
+ <td>ipsetflags</td>
+ <td>IPSETFLAGS</td>
+ <td>flags for the IPSet; requires ipset attribute</td>
+ </tr>
+ </table>
+ <p>
+ <br/><br/>
+ </p>
+
<h5><a name="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over
IPV6</a></h5>
<p>
@@ -1796,6 +1887,97 @@
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
+ </table>
+ <p>
+ <br/><br/>
+ </p>
+
+ <h5><a name="nwfelemsRulesProtoIPl4v6">IPL4 over
IPv6</a>
+ <span class="since">(Since 0.10.2)</span>
+ </h5>
+ <p>
+ Protocol ID: ipl4; the protocol ID is provided through the protocolid
+ attribute
+ <br/>
+ Note: The chain parameter is ignored for this type of traffic
+ and should either be omitted or set to <code>root</code>.
+ </p>
+ <table class="top_table">
+ <tr>
+ <th> Attribute </th>
+ <th> Datatype </th>
+ <th> Semantics </th>
+ </tr>
+ <tr>
+ <td>srcmacaddr</td>
+ <td>MAC_ADDR</td>
+ <td>MAC address of sender</td>
+ </tr>
+ <tr>
+ <td>protocolid</td>
+ <td>UINT8, STRING</td>
+ <td>Layer 4 protocol ID</td>
+ </tr>
+ <tr>
+ <td>srcipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to destination IP address</td>
+ </tr>
+ <tr>
+ <td>srcipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>comment</td>
+ <td>STRING</td>
+ <td>text with max. 256 characters</td>
+ </tr>
+ <tr>
+ <td>state</td>
+ <td>STRING</td>
+ <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or
NONE</td>
+ </tr>
+ <tr>
+ <td>ipset</td>
+ <td>STRING</td>
+ <td>The name of an IPSet managed outside of libvirt</td>
+ </tr>
+ <tr>
+ <td>ipsetflags</td>
+ <td>IPSETFLAGS</td>
+ <td>flags for the IPSet; requires ipset attribute</td>
+ </tr>
</table>
<p>
<br/><br/>
4443
days inactive
4458
days old
3 comments
1 participants
participants (1)
-
Stefan Berger