[libvirt] Appending REJECT rules.

Eric Blake eblake at redhat.com
Wed Jun 22 22:01:29 UTC 2011


On 05/18/2011 03:10 PM, Stephen O'Dor wrote:
> Greetings folks,

Hello, and sorry for the delayed response.  Looks like this fell through
the cracks, because it wasn't in traditional 'git format-patch' style.

> 
> I've patched the libvirt iptables interface to append it's REJECT
> rules rather than insert at the head. Idea being that I'm not the only
> person who usually puts the REJECTs at the end of a chain.
> 
> In my particular case any custom ACCEPT rules involving the bridge
> interfaces would get pushed below the rules that libvirt puts in to
> REJECT everything on the bridge interface.
> 
> I'm using the routed network mode, I have no idea if this hurts any
> other network mode.

Stefan is probably the best person to comment on whether this makes sense.

> 
> Thanks,
> 
> -Steve
> 
> 
> --- iptables.c  2011-02-28 23:03:32.000000000 -0800
> +++ iptables.c_new      2011-05-18 14:00:59.110855881 -0700
> @@ -51,7 +51,8 @@
> 
>  enum {
>      ADD = 0,
> -    REMOVE
> +    REMOVE,
> +    APPEND
>  };
> 
>  typedef struct
> @@ -111,7 +112,7 @@
>                          ? IP6TABLES_PATH : IPTABLES_PATH);
> 
>      virCommandAddArgList(cmd, "--table", rules->table,
> -                         action == ADD ? "--insert" : "--delete",
> +                         action == ADD ? "--insert" : action ==
> REMOVE ? "--delete" : "--append",
>                           rules->chain, arg, NULL);
> 
>      va_start(args, arg);
> @@ -666,7 +667,7 @@
>                              int family,
>                              const char *iface)
>  {
> -    return iptablesForwardRejectOut(ctx, family, iface, ADD);
> +    return iptablesForwardRejectOut(ctx, family, iface, APPEND);
>  }
> 
>  /**
> @@ -722,7 +723,7 @@
>                             int family,
>                             const char *iface)
>  {
> -    return iptablesForwardRejectIn(ctx, family, iface, ADD);
> +    return iptablesForwardRejectIn(ctx, family, iface, APPEND);
>  }
> 
>  /**
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110622/31387596/attachment-0001.sig>


More information about the libvir-list mailing list