[libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter

David L Stevens dlstevens at us.ibm.com
Mon May 9 20:06:29 UTC 2011


This patch simplifies the table rules by setting the protocol chains policy to
be "DROP" and removes the explicit "-j DROP" entries that the protocol rules
had previously. It also makes "no-other-rarp-traffic.xml" obsolete.

Signed-off-by: David L Stevens <dlstevens at us.ibm.com>

diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 8ef9a71..60301c9 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -14,7 +14,6 @@ FILTERS = \
 	no-mac-broadcast.xml \
 	no-mac-spoofing.xml \
 	no-other-l2-traffic.xml \
-	no-other-rarp-traffic.xml \
 	qemu-announce-self.xml \
 	qemu-announce-self-rarp.xml
 
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
    <rule action='return' direction='out' priority='410' >
        <arp match='yes' arpsrcipaddr='0.0.0.0' />
    </rule>
-   <!-- drop everything else -->
-   <rule action='drop' direction='out' priority='1000' />
 </filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
    <rule action='return' direction='out' priority='350' >
        <arp match='yes' arpsrcmacaddr='$MAC'/>
    </rule>
-   <!-- drop everything else -->
-   <rule action='drop' direction='out' priority='1000' />
 </filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
     <rule action='return' direction='out'>
         <ip match='yes' srcipaddr='$IP' />
     </rule>
-    <!-- drop any that don't match the source IP list -->
-    <rule action='drop' direction='out' />
 </filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
    <rule action='return' direction='out' priority='350' >
        <mac match='yes' srcmacaddr='$MAC'/>
    </rule>
-   <!-- drop everything else -->
-   <rule action='drop' direction='out' priority='1000' />
 </filter>
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..0000000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<filter name='no-other-rarp-traffic' chain='rarp'>
-    <rule action='drop' direction='inout' priority='1000'/>
-</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@
 
     <!-- accept if it was changed to rarp -->
     <filterref filter='qemu-announce-self-rarp'/>
-    <filterref filter='no-other-rarp-traffic'/>
 
 </filter>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index fa6f719..dc0ad2e 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2783,7 +2783,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
         protostr[0] = '\0';
 
     virBufferVSprintf(buf,
-                      CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
+                      CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
                       CMD_EXEC
                       "%s"
                       CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
@@ -3006,14 +3006,6 @@ ebtablesApplyBasicRules(const char *ifname,
     ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
 
     PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
-    virBufferVSprintf(&buf,
-                      CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
-                      CMD_EXEC
-                      "%s",
-
-                      ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
-                      chain, macaddr_str,
-                      CMD_STOPONERR(1));
 
     virBufferVSprintf(&buf,
                       CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR






More information about the libvir-list mailing list