[libvirt] [patch 0/5] nwfilter: add a 'state' attribute to protocols

Stefan Berger stefanb at us.ibm.com
Sat Oct 2 00:28:49 UTC 2010


The following patch series introduces an attribute 'state' for iptables-
supported protocols. This gives the user more control over the 'state match'
of the underlying ip(6)tables implementation and allows to create filtering
rules that are more efficient to evaluate. TCK test cases will be posted later.

Each rule containing a state attribute with either one of the values
NEW, ESTABLISHED, RELATED, INVALID or NONE, gets one iptables rule created
for the direction of the rule. The keyword 'NONE' does the same, but doesn't
generate a rule with the 'state match'. If no state attribute is used,
a symmetric rule in the incoming and outgoing direction is generated (as
was done previously).

The patches do the following:
- extend the parser and XML generator to parse and create XML with the
  state attribute
- instantiate the state in case of ip(6)tables
- extend the nwfilter.rng schema with the state attribute's possible values
- add information about the new state attribute to the web docs
- add a test case for the XML parser/generator to be run during 'make check'

I valgrind'ed this patch and it looks all memory is freed appropriately.

  Regards,
    Stefan




More information about the libvir-list mailing list