[libvirt] [PATCH] nwfilter: fix typing error in filter
Fix a typing error in the no-ip-spoofing filter. Return DHCP request packets passing through this filter. Have the user use another filter to actually allow DHCP requests to be sent (action='accept'). --- examples/xml/nwfilter/no-ip-spoofing.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml @@ -1,7 +1,7 @@ <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> - <!-- allow DHCP requests --> - <rule action='accept' direction='out' priority='100'> - <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' srcportend='68'/> + <!-- allow DHCP requests sent from 0.0.0.0 --> + <rule action='return' direction='out' priority='100'> + <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <!-- allow all known IP addresses -->
On 01/11/2012 12:42 PM, Stefan Berger wrote:
Fix a typing error in the no-ip-spoofing filter. Return DHCP request packets passing through this filter. Have the user use another filter to actually allow DHCP requests to be sent (action='accept').
--- examples/xml/nwfilter/no-ip-spoofing.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml @@ -1,7 +1,7 @@ <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> - <!-- allow DHCP requests --> - <rule action='accept' direction='out' priority='100'> - <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' srcportend='68'/> + <!-- allow DHCP requests sent from 0.0.0.0 --> + <rule action='return' direction='out' priority='100'>
I see how the action='accept' vs. action='return' makes a difference here, if the user has other rules after calling this filter that they still want to use.
+ <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' dstportstart='67'/>
but I'm a bit lost as to why srcportend='68' needs to be changed to dstportstart='67'. Assuming you can explain this change, then ACK. Meanwhile, this file under examples/ differs from the text in formatnwfilter.html.in which also defines a filter named no-ip-spoofing; is that a discrepancy where the docs should be updated to accurately describe what is our best state-of-the-art in the examples, or is it something where we should just mention in the docs that the docs are shorter versions for discussion, and to see examples/ for a more complete version. But fixing that can be a separate patch. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 01/11/2012 02:57 PM, Eric Blake wrote:
On 01/11/2012 12:42 PM, Stefan Berger wrote:
Fix a typing error in the no-ip-spoofing filter. Return DHCP request packets passing through this filter. Have the user use another filter to actually allow DHCP requests to be sent (action='accept').
--- examples/xml/nwfilter/no-ip-spoofing.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml @@ -1,7 +1,7 @@ <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> -<!-- allow DHCP requests --> -<rule action='accept' direction='out' priority='100'> -<ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' srcportend='68'/> +<!-- allow DHCP requests sent from 0.0.0.0 --> +<rule action='return' direction='out' priority='100'> I see how the action='accept' vs. action='return' makes a difference here, if the user has other rules after calling this filter that they still want to use.
Right, that's the intention.
+<ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' dstportstart='67'/> but I'm a bit lost as to why srcportend='68' needs to be changed to dstportstart='67'. Assuming you can explain this change, then
DHCP requests are sent from port 68 on the client to port 67 on the server.
ACK.
Will push later today but will need to update TCK as well.
Meanwhile, this file under examples/ differs from the text in formatnwfilter.html.in which also defines a filter named no-ip-spoofing; is that a discrepancy where the docs should be updated to accurately describe what is our best state-of-the-art in the examples, or is it something where we should just mention in the docs that the docs are shorter versions for discussion, and to see examples/ for a more complete version. But fixing that can be a separate patch.
I'll look into that... Stefan
participants (2)
-
Eric Blake -
Stefan Berger