[libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter
David Stevens
dlstevens at us.ibm.com
Wed May 11 22:05:03 UTC 2011
Stefan Berger/Watson/IBM wrote on 05/11/2011 12:32:41 PM:
>
> So now this command puts the default policy of every ebtables chain
> to end with an implicit drop. What if I had previously
> created a filter assuming an implicit accept, which is the current
> behavior? Now that filter wouldn't work correctly anymore
> since my packets all get droped. Is this change really necessary?
Well, all of the generated chains need this (to support
multiple address matching). This can, of course, be done by
adding a "-j DROP" at the end of every chain. But since it is
all of them, I thought changing the default and having fewer
rules made a lot more sense.
So, it isn't a requirement, but any modifications to these
chains will need to account for either a DROP policy explicitly
or a "-j DROP" at the end, if it's modifying an existing filter.
I don't see any way around custom filters needing to be
reviewed and adapted to any change in the examples set. Independent
filters can explicitly use "-j DROP" or "-j ACCEPT" and not rely
on the policy, but insertions in existing filters can't insert
after a "-j DROP" and still work, either. With the changed policy,
they can append rules and possibly still work without modification.
+-DLS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110511/efa8eb7d/attachment-0001.htm>
More information about the libvir-list
mailing list