[libvirt] [libvirt PATCH] support continue/return targets in nwfilter
This patch adds support for "continue" and "return" actions in filter rules. Signed-off-by: David L Stevens <dlstevens@us.ibm.com> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index 04bfa22..3e28806 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -55,12 +55,16 @@ VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST, "drop", "accept", - "reject"); + "reject", + "return", + "continue"); VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST, "DROP", "ACCEPT", - "REJECT"); + "REJECT", + "RETURN", + "CONTINUE"); VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST, "in", diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index 5306403..c96851a 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -299,6 +299,8 @@ enum virNWFilterRuleActionType { VIR_NWFILTER_RULE_ACTION_DROP = 0, VIR_NWFILTER_RULE_ACTION_ACCEPT, VIR_NWFILTER_RULE_ACTION_REJECT, + VIR_NWFILTER_RULE_ACTION_RETURN, + VIR_NWFILTER_RULE_ACTION_CONTINUE, VIR_NWFILTER_RULE_ACTION_LAST, };
On Tue, Oct 18, 2011 at 12:55:25PM -0700, David L Stevens wrote:
This patch adds support for "continue" and "return" actions in filter rules.
Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index 04bfa22..3e28806 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -55,12 +55,16 @@ VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST, "drop", "accept", - "reject"); + "reject", + "return", + "continue");
VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST, "DROP", "ACCEPT", - "REJECT"); + "REJECT", + "RETURN", + "CONTINUE");
VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST, "in", diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index 5306403..c96851a 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -299,6 +299,8 @@ enum virNWFilterRuleActionType { VIR_NWFILTER_RULE_ACTION_DROP = 0, VIR_NWFILTER_RULE_ACTION_ACCEPT, VIR_NWFILTER_RULE_ACTION_REJECT, + VIR_NWFILTER_RULE_ACTION_RETURN, + VIR_NWFILTER_RULE_ACTION_CONTINUE,
VIR_NWFILTER_RULE_ACTION_LAST, };
ACK Though it'd be good to update docs/nwfilter.html.in too to mention this Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 10/19/2011 01:51 AM, Daniel P. Berrange wrote:
On Tue, Oct 18, 2011 at 12:55:25PM -0700, David L Stevens wrote:
This patch adds support for "continue" and "return" actions in filter rules.
Signed-off-by: David L Stevens<dlstevens@us.ibm.com>
ACK
Though it'd be good to update docs/nwfilter.html.in too to mention this
I'm squashing in this, so they are at least documented, but I didn't know how to work them into an example, so further content updates from you would be helpful. I also added you to AUTHORS; let me know if any spelling updates are needed. diff --git i/docs/formatnwfilter.html.in w/docs/formatnwfilter.html.in index 8df4a93..5e9daea 100644 --- i/docs/formatnwfilter.html.in +++ w/docs/formatnwfilter.html.in @@ -258,11 +258,19 @@ </p> <ul> <li> - action -- mandatory; must either be <code>drop</code>, - <code>reject</code><span class="since">(since 0.9.0)</span>, - or <code>accept</code> if - the evaluation of the filtering rule is supposed to drop, - reject (using ICMP message), or accept a packet + action -- mandatory; must either be <code>drop</code> + (matching the rule silently discards the packet with no + further analysis), + <code>reject</code> (matching the rule generates an ICMP + reject message with no further analysis) <span class="since">(since + 0.9.0)</span>, <code>accept</code> (matching the rule accepts + the packet with no further analysis), <code>return</code> + (matching the rule passes this filter, but returns control to + the calling filter for further + analysis) <span class="since">(since 0.9.7)</span>, + or <code>continue<code> (matching the rule goes on to the next + rule for further analysis) <span class="since">(since + 0.9.7)</span>. </li> <li> direction -- mandatory; must either be <code>in</code>, <code>out</code> or -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Eric, Thanks -- looks good to me. "return" is useful for doing multiple chains on one packet -- "drop" if it isn't acceptable and "return" to do further checks in other chains for the acceptable ones. The current fixed-set of protocol chains are mutually exclusive which makes "return" not very interesting. It'll be very useful with user-defined chains, a separate MAC address chain that does protocol checks on the same packet after, or a separate IP source address chain to do multiple address checks before other port or higher protocol checks. Patches for at least one of these should go in soon I expect and that will allow a nontrivial example for the documentation. With the current chains, a "return" will just get you to a "drop" or "accept" in the caller without any further checks on the same packet, so a "return" example with existing chains would be artificial. I'll do an example when one of the above use cases is in: probably best to leave it at what you have now until then. +-DLS
participants (4)
-
Daniel P. Berrange -
David L Stevens -
David Stevens
-
Eric Blake