This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the match target or not. A rule may now look like as follows with the nomatch attribute either having value '1' or 'true' (case-insensitive). [...] <rule action='accept' direction='in' nomatch='true'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...] I am also extending the nwfilter schema and add this attribute to a test case. Signed-off-by: Stefan Berger --- docs/schemas/nwfilter.rng | 10 ++++++++++ src/conf/nwfilter_conf.c | 9 +++++++++ src/conf/nwfilter_conf.h | 5 +++++ src/nwfilter/nwfilter_ebiptables_driver.c | 3 +++ tests/nwfilterxml2xmlin/tcp-test.xml | 4 ++-- tests/nwfilterxml2xmlout/tcp-test.xml | 4 ++-- 6 files changed, 31 insertions(+), 4 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDe needState = 0; } + if ((rule->flags & RULE_FLAG_NO_MATCH)) + needState = 0; + chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node) char *action; char *direction; char *prio; + char *nomatch; int found; int found_i = 0; unsigned int priority; @@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node) action = virXMLPropString(node, "action"); direction = virXMLPropString(node, "direction"); prio = virXMLPropString(node, "priority"); + nomatch = virXMLPropString(node, "nomatch"); if (!action) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -1633,6 +1635,9 @@ virNWFilterRuleParse(xmlNodePtr node) } } + if (nomatch && (STREQ(nomatch, "1") || STRCASEEQ(nomatch, "true"))) + ret->flags |= RULE_FLAG_NO_MATCH; + cur = node->children; found = 0; @@ -1677,6 +1682,7 @@ cleanup: VIR_FREE(prio); VIR_FREE(action); VIR_FREE(direction); + VIR_FREE(nomatch); return ret; @@ -2532,6 +2538,9 @@ virNWFilterRuleDefFormat(virNWFilterRule virNWFilterRuleDirectionTypeToString(def->tt), def->priority); + if ((def->flags * RULE_FLAG_NO_MATCH)) + virBufferAddLit(&buf, " nomatch='1'"); + i = 0; while (virAttr[i].id) { if (virAttr[i].prtclType == def->prtclType) { Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType { # define MAX_RULE_PRIORITY 1000 +enum virNWFilterRuleFlags { + RULE_FLAG_NO_MATCH = (1 << 0), +}; + typedef struct _virNWFilterRuleDef virNWFilterRuleDef; typedef virNWFilterRuleDef *virNWFilterRuleDefPtr; struct _virNWFilterRuleDef { unsigned int priority; + enum virNWFilterRuleFlags flags; int action; /*enum virNWFilterRuleActionType*/ int tt; /*enum virNWFilterRuleDirectionType*/ enum virNWFilterRuleProtocolType prtclType; Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -299,6 +299,11 @@ <ref name='priority-type'/> </attribute> </optional> + <optional> + <attribute name="nomatch"> + <ref name='nomatch-type'/> + </attribute> + </optional> </define> <define name="match-attribute"> @@ -816,4 +821,9 @@ <param name="maxInclusive">1000</param> </data> </define> + <define name='nomatch-type'> + <data type="string"> + <param name="pattern">([Tt][Rr][Uu][Ee]|1)</param> + </data> + </define> </grammar> Index: libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlin/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml @@ -5,14 +5,14 @@ dstipaddr='10.1.2.3' dstipmask='255.255.255.255' dscp='2'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' nomatch='true'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' nomatch='1'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' Index: libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlout/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml @@ -3,10 +3,10 @@ <rule action='accept' direction='out' priority='500'> <tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' nomatch='1'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' nomatch='1'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/> </rule> </filter>