1:02 p.m.
This patch adds an optional XML attribute to a nwfilter rule to give the
user control over whether the rule is supposed to be using the state
match or not. A rule may now look like shown in the XML below with the
statematch attribute either having value '0' or 'false'
(case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test
case.
V2:
- Following D. Berrange's suggestion I inverted the logic from
'nomatch' XML attribute to statematch attribute
Signed-off-by: Stefan Berger
---
docs/schemas/nwfilter.rng | 10 ++++++++++
src/conf/nwfilter_conf.c | 10 ++++++++++
src/conf/nwfilter_conf.h | 5 +++++
src/nwfilter/nwfilter_ebiptables_driver.c | 3 +++
tests/nwfilterxml2xmlin/tcp-test.xml | 4 ++--
tests/nwfilterxml2xmlout/tcp-test.xml | 4 ++--
6 files changed, 32 insertions(+), 4 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDe
needState = 0;
}
+ if ((rule->flags & RULE_FLAG_NO_STATEMATCH))
+ needState = 0;
+
chainPrefix[0] = 'F';
maySkipICMP = directionIn || inout;
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node)
char *action;
char *direction;
char *prio;
+ char *statematch;
int found;
int found_i = 0;
unsigned int priority;
@@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node)
action = virXMLPropString(node, "action");
direction = virXMLPropString(node, "direction");
prio = virXMLPropString(node, "priority");
+ statematch= virXMLPropString(node, "statematch");
if (!action) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1633,6 +1635,10 @@ virNWFilterRuleParse(xmlNodePtr node)
}
}
+ if (statematch &&
+ (STREQ(statematch, "0") || STRCASEEQ(statematch, "false")))
+ ret->flags |= RULE_FLAG_NO_STATEMATCH;
+
cur = node->children;
found = 0;
@@ -1677,6 +1683,7 @@ cleanup:
VIR_FREE(prio);
VIR_FREE(action);
VIR_FREE(direction);
+ VIR_FREE(statematch);
return ret;
@@ -2532,6 +2539,9 @@ virNWFilterRuleDefFormat(virNWFilterRule
virNWFilterRuleDirectionTypeToString(def->tt),
def->priority);
+ if ((def->flags & RULE_FLAG_NO_STATEMATCH))
+ virBufferAddLit(&buf, " statematch='false'");
+
i = 0;
while (virAttr[i].id) {
if (virAttr[i].prtclType == def->prtclType) {
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType {
# define MAX_RULE_PRIORITY 1000
+enum virNWFilterRuleFlags {
+ RULE_FLAG_NO_STATEMATCH = (1 << 0),
+};
+
typedef struct _virNWFilterRuleDef virNWFilterRuleDef;
typedef virNWFilterRuleDef *virNWFilterRuleDefPtr;
struct _virNWFilterRuleDef {
unsigned int priority;
+ enum virNWFilterRuleFlags flags;
int action; /*enum virNWFilterRuleActionType*/
int tt; /*enum virNWFilterRuleDirectionType*/
enum virNWFilterRuleProtocolType prtclType;
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -299,6 +299,11 @@
<ref name='priority-type'/>
</attribute>
</optional>
+ <optional>
+ <attribute name="statematch">
+ <ref name='statematch-type'/>
+ </attribute>
+ </optional>
</define>
<define name="match-attribute">
@@ -816,4 +821,9 @@
<param name="maxInclusive">1000</param>
</data>
</define>
+ <define name='statematch-type'>
+ <data type="string">
+ <param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param>
+ </data>
+ </define>
</grammar>
Index: libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmlin/tcp-test.xml
+++ libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml
@@ -5,14 +5,14 @@
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
- <rule action='accept' direction='in'>
+ <rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
- <rule action='accept' direction='in'>
+ <rule action='accept' direction='in' statematch='0'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
Index: libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmlout/tcp-test.xml
+++ libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml
@@ -3,10 +3,10 @@
<rule action='accept' direction='out' priority='500'>
<tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3'
dstipmask='32'
dscp='2'/>
</rule>
- <rule action='accept' direction='in' priority='500'>
+ <rule action='accept' direction='in' priority='500'
statematch='false'>
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3'
srcipmask='32'
dscp='33' srcportstart='20' srcportend='21'
dstportstart='100'
dstportend='1111'/>
</rule>
- <rule action='accept' direction='in' priority='500'>
+ <rule action='accept' direction='in' priority='500'
statematch='false'>
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3'
srcipmask='32'
dscp='63' srcportstart='255' srcportend='256'
dstportstart='65535'/>
</rule>
</filter>
12:26 p.m.
On Fri, Jun 11, 2010 at 02:02:11PM -0400, Stefan Berger wrote:
This patch adds an optional XML attribute to a nwfilter rule to give the
user control over whether the rule is supposed to be using the state
match or not. A rule may now look like shown in the XML below with the
statematch attribute either having value '0' or 'false'
(case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test
case.
V2:
- Following D. Berrange's suggestion I inverted the logic from
'nomatch' XML attribute to statematch attribute
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
1:17 p.m.
On 06/17/2010 01:26 PM, Daniel P. Berrange wrote:
On Fri, Jun 11, 2010 at 02:02:11PM -0400, Stefan Berger wrote:
> This patch adds an optional XML attribute to a nwfilter rule to give the
> user control over whether the rule is supposed to be using the state
> match or not. A rule may now look like shown in the XML below with the
> statematch attribute either having value '0' or 'false'
(case-insensitive).
>
> [...]
> <rule action='accept' direction='in'
statematch='false'>
> <tcp srcmacaddr='1:2:3:4:5:6'
> srcipaddr='10.1.2.3' srcipmask='32'
> dscp='33'
> srcportstart='20' srcportend='21'
> dstportstart='100' dstportend='1111'/>
> </rule>
> [...]
>
> I am also extending the nwfilter schema and add this attribute to a test
> case.
>
> V2:
> - Following D. Berrange's suggestion I inverted the logic from
> 'nomatch' XML attribute to statematch attribute
>
ACK
Pushed.
Stefan
1:23 p.m.
On 06/11/2010 12:02 PM, Stefan Berger wrote:
This patch adds an optional XML attribute to a nwfilter rule to give the
user control over whether the rule is supposed to be using the state
match or not. A rule may now look like shown in the XML below with the
statematch attribute either having value '0' or 'false'
(case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test
case.
V2:
- Following D. Berrange's suggestion I inverted the logic from
'nomatch' XML attribute to statematch attribute
Signed-off-by: Stefan Berger
---
docs/schemas/nwfilter.rng | 10 ++++++++++
Sorry for not noticing sooner, now that you have pushed, but:
Can you also write a patch for docs/formatnwfilter.html.in, to cover
this addition in the documentation?
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
1:57 p.m.
On 06/17/2010 02:23 PM, Eric Blake wrote:
On 06/11/2010 12:02 PM, Stefan Berger wrote:
> This patch adds an optional XML attribute to a nwfilter rule to give the
> user control over whether the rule is supposed to be using the state
> match or not. A rule may now look like shown in the XML below with the
> statematch attribute either having value '0' or 'false'
(case-insensitive).
>
> [...]
> <rule action='accept' direction='in'
statematch='false'>
> <tcp srcmacaddr='1:2:3:4:5:6'
> srcipaddr='10.1.2.3' srcipmask='32'
> dscp='33'
> srcportstart='20' srcportend='21'
> dstportstart='100' dstportend='1111'/>
> </rule>
> [...]
>
> I am also extending the nwfilter schema and add this attribute to a test
> case.
>
> V2:
> - Following D. Berrange's suggestion I inverted the logic from
> 'nomatch' XML attribute to statematch attribute
>
> Signed-off-by: Stefan Berger
>
> ---
> docs/schemas/nwfilter.rng | 10 ++++++++++
>
Sorry for not noticing sooner, now that you have pushed, but:
Can you also write a patch for docs/formatnwfilter.html.in, to cover
this addition in the documentation?
Yes, I'll write a patch for the documentation also.
Stefan
5273
days inactive
5279
days old
4 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Stefan Berger