[libvirt] [PATCH v2] nwfilter: add XML attribute to control match target
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive). [...] <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...] I am also extending the nwfilter schema and add this attribute to a test case. V2: - Following D. Berrange's suggestion I inverted the logic from 'nomatch' XML attribute to statematch attribute Signed-off-by: Stefan Berger --- docs/schemas/nwfilter.rng | 10 ++++++++++ src/conf/nwfilter_conf.c | 10 ++++++++++ src/conf/nwfilter_conf.h | 5 +++++ src/nwfilter/nwfilter_ebiptables_driver.c | 3 +++ tests/nwfilterxml2xmlin/tcp-test.xml | 4 ++-- tests/nwfilterxml2xmlout/tcp-test.xml | 4 ++-- 6 files changed, 32 insertions(+), 4 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDe needState = 0; } + if ((rule->flags & RULE_FLAG_NO_STATEMATCH)) + needState = 0; + chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node) char *action; char *direction; char *prio; + char *statematch; int found; int found_i = 0; unsigned int priority; @@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node) action = virXMLPropString(node, "action"); direction = virXMLPropString(node, "direction"); prio = virXMLPropString(node, "priority"); + statematch= virXMLPropString(node, "statematch"); if (!action) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -1633,6 +1635,10 @@ virNWFilterRuleParse(xmlNodePtr node) } } + if (statematch && + (STREQ(statematch, "0") || STRCASEEQ(statematch, "false"))) + ret->flags |= RULE_FLAG_NO_STATEMATCH; + cur = node->children; found = 0; @@ -1677,6 +1683,7 @@ cleanup: VIR_FREE(prio); VIR_FREE(action); VIR_FREE(direction); + VIR_FREE(statematch); return ret; @@ -2532,6 +2539,9 @@ virNWFilterRuleDefFormat(virNWFilterRule virNWFilterRuleDirectionTypeToString(def->tt), def->priority); + if ((def->flags & RULE_FLAG_NO_STATEMATCH)) + virBufferAddLit(&buf, " statematch='false'"); + i = 0; while (virAttr[i].id) { if (virAttr[i].prtclType == def->prtclType) { Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType { # define MAX_RULE_PRIORITY 1000 +enum virNWFilterRuleFlags { + RULE_FLAG_NO_STATEMATCH = (1 << 0), +}; + typedef struct _virNWFilterRuleDef virNWFilterRuleDef; typedef virNWFilterRuleDef *virNWFilterRuleDefPtr; struct _virNWFilterRuleDef { unsigned int priority; + enum virNWFilterRuleFlags flags; int action; /*enum virNWFilterRuleActionType*/ int tt; /*enum virNWFilterRuleDirectionType*/ enum virNWFilterRuleProtocolType prtclType; Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -299,6 +299,11 @@ <ref name='priority-type'/> </attribute> </optional> + <optional> + <attribute name="statematch"> + <ref name='statematch-type'/> + </attribute> + </optional> </define> <define name="match-attribute"> @@ -816,4 +821,9 @@ <param name="maxInclusive">1000</param> </data> </define> + <define name='statematch-type'> + <data type="string"> + <param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param> + </data> + </define> </grammar> Index: libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlin/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml @@ -5,14 +5,14 @@ dstipaddr='10.1.2.3' dstipmask='255.255.255.255' dscp='2'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' statematch='0'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' Index: libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlout/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml @@ -3,10 +3,10 @@ <rule action='accept' direction='out' priority='500'> <tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' statematch='false'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' statematch='false'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/> </rule> </filter>
On Fri, Jun 11, 2010 at 02:02:11PM -0400, Stefan Berger wrote:
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...] <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...]
I am also extending the nwfilter schema and add this attribute to a test case.
V2: - Following D. Berrange's suggestion I inverted the logic from 'nomatch' XML attribute to statematch attribute
ACK Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 06/17/2010 01:26 PM, Daniel P. Berrange wrote:
On Fri, Jun 11, 2010 at 02:02:11PM -0400, Stefan Berger wrote:
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...] <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...]
I am also extending the nwfilter schema and add this attribute to a test case.
V2: - Following D. Berrange's suggestion I inverted the logic from 'nomatch' XML attribute to statematch attribute
ACK
Pushed. Stefan
On 06/11/2010 12:02 PM, Stefan Berger wrote:
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...] <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...]
I am also extending the nwfilter schema and add this attribute to a test case.
V2: - Following D. Berrange's suggestion I inverted the logic from 'nomatch' XML attribute to statematch attribute
Signed-off-by: Stefan Berger
--- docs/schemas/nwfilter.rng | 10 ++++++++++
Sorry for not noticing sooner, now that you have pushed, but: Can you also write a patch for docs/formatnwfilter.html.in, to cover this addition in the documentation? -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
On 06/17/2010 02:23 PM, Eric Blake wrote:
On 06/11/2010 12:02 PM, Stefan Berger wrote:
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...] <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...]
I am also extending the nwfilter schema and add this attribute to a test case.
V2: - Following D. Berrange's suggestion I inverted the logic from 'nomatch' XML attribute to statematch attribute
Signed-off-by: Stefan Berger
--- docs/schemas/nwfilter.rng | 10 ++++++++++
Sorry for not noticing sooner, now that you have pushed, but:
Can you also write a patch for docs/formatnwfilter.html.in, to cover this addition in the documentation?
Yes, I'll write a patch for the documentation also. Stefan
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Stefan Berger