[libvirt] [PATCH] [DOCS] nwfilter: Add 2nd example to the html docs
Stefan Berger
stefanb at linux.vnet.ibm.com
Thu Oct 7 10:53:26 UTC 2010
On 10/06/2010 03:14 PM, Eric Blake wrote:
> On 10/06/2010 12:56 PM, Stefan Berger wrote:
>>
>> + <h3><a name="nwfwriteexample2nd">Second example custom filter</a></h3>
>> + <p>
>> + In this example we now want to build a similar filter as in the
>> + example above, but extend the list of requirements with an
>> + ftp server located inside the VM. Further, we will be using features
>> + that have been added in <span class="since">version 0.8.5</span>.
>> + The requirements for this filter shall be:
>
> s/shall be/are/
>
>> + The 1st solution makes use of the <code>state</code> attribute of
>> + the TCP protocol that gives us a hook into the connection tracking
>> + framework of the Linux host. For the VM-initiated ftp data connection
>> + (ftp active mode) we use the <code>RELATED</code> state that allows
>> + us to detect that the VM-initated ftp data connection is a
>> consequence of
>
> s/initated/initiated/
>
>> + ( or 'has a relationship with' ) an existing ftp control connection,
>> + thus we want to allow it to let packets
>> + pass the firewall. The <code>RELATED</code> state, however, is only
>> + valid for the very first packet of the outgoing TCP connection for the
>> + ftp data path. Afterwards, the state to compare against is
>> + <code>ESTABLISHED</code>, which then applies equally
>> + to the incoming and outgoing direction. All this is related to the ftp
>> + data traffic origination from TCP port 20 of the VM. This then
>> leads to
>
> s/origination/originating/
>
>> + <p>
>> + Before trying out a filter using the <code>RELATED</code> state,
>> + you have to make sure that the approriate connection tracking module
>
> s/approriate/appropriate/
>
> Other than those nits, looks good to me.
>
I corrected the text and pushed it.
Stefan
More information about the libvir-list
mailing list