[libvirt] [PATCH] nwfilter: enable rejection of packets
Stefan Berger
stefanb at linux.vnet.ibm.com
Fri Feb 18 14:56:43 UTC 2011
This patch adds the possibility to not just drop packets, but to also
have them rejected where iptables at least sends an ICMP msg back to the
originator. On ebtables this again maps into dropping packets since
rejecting is not supported.
I am adding 'since 0.8.9' to the docs assuming this will be the next
version of libvirt.
Signed-off-by: Stefan Berger <stefanb at us.ibm.com>
---
docs/formatnwfilter.html.in | 8 +++++---
docs/schemas/nwfilter.rng | 1 +
src/conf/nwfilter_conf.c | 6 ++++--
src/conf/nwfilter_conf.h | 1 +
src/nwfilter/nwfilter_ebiptables_driver.c | 15 +++++++++++++--
5 files changed, 24 insertions(+), 7 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -53,11 +53,13 @@
VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST,
"drop",
- "accept");
+ "accept",
+ "reject");
VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST,
"DROP",
- "ACCEPT");
+ "ACCEPT",
+ "REJECT");
VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST,
"in",
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -291,6 +291,7 @@ struct _udpliteHdrFilterDef {
enum virNWFilterRuleActionType {
VIR_NWFILTER_RULE_ACTION_DROP = 0,
VIR_NWFILTER_RULE_ACTION_ACCEPT,
+ VIR_NWFILTER_RULE_ACTION_REJECT,
VIR_NWFILTER_RULE_ACTION_LAST,
};
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1516,7 +1516,7 @@ _iptablesCreateRuleInstance(int directio
if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
target = accept_target;
else {
- target = "DROP";
+ target = virNWFilterJumpTargetTypeToString(rule->action);
skipMatch = defMatch;
}
@@ -1880,6 +1880,7 @@ ebtablesCreateRuleInstance(char chainPre
number[20];
char chain[MAX_CHAINNAME_LENGTH];
virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *target;
if (!ebtables_cmd_path) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -2295,10 +2296,20 @@ ebtablesCreateRuleInstance(char chainPre
return -1;
}
+ switch (rule->action) {
+ case VIR_NWFILTER_RULE_ACTION_REJECT:
+ /* REJECT not supported */
+ target = virNWFilterJumpTargetTypeToString(
+ VIR_NWFILTER_RULE_ACTION_DROP);
+ break;
+ default:
+ target = virNWFilterJumpTargetTypeToString(rule->action);
+ }
+
virBufferVSprintf(&buf,
" -j %s" CMD_DEF_POST CMD_SEPARATOR
CMD_EXEC,
- virNWFilterJumpTargetTypeToString(rule->action));
+ target);
if (virBufferError(&buf)) {
virBufferFreeAndReset(&buf);
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -839,6 +839,7 @@
<choice>
<value>drop</value>
<value>accept</value>
+ <value>reject</value>
</choice>
</define>
Index: libvirt-acl/docs/formatnwfilter.html.in
===================================================================
--- libvirt-acl.orig/docs/formatnwfilter.html.in
+++ libvirt-acl/docs/formatnwfilter.html.in
@@ -260,9 +260,11 @@
</p>
<ul>
<li>
- action -- mandatory; must either be <code>drop</code> or
<code>accept</code> if
- the evaluation of the filtering rule is supposed to drop or accept
- a packet
+ action -- mandatory; must either be <code>drop</code>,
+ <code>reject</code><span class="since">(since 0.8.9)</span>,
+ or <code>accept</code> if
+ the evaluation of the filtering rule is supposed to drop,
+ reject (using ICMP message), or accept a packet
</li>
<li>
direction -- mandatory; must either be <code>in</code>,
<code>out</code> or
More information about the libvir-list
mailing list