[libvirt] [RFC PATCHv2 3/9] reverse sense of address matching
Daniel P. Berrange
berrange at redhat.com
Wed Oct 5 15:41:56 UTC 2011
On Wed, Oct 05, 2011 at 08:08:48AM -0700, David L Stevens wrote:
> This patch changes rules of the form:
>
> if ! addr drop
> accept
> to:
> if addr return
> ...
> drop
>
> The patch adds a "mac" chain to do a mac address list and separates the "arp"
> chain into separate "arpmac" and "arpip" chains that can check multiple MAC
> or IP addresses in any combination. This patch itself does not support multiple
> addresses via the MAC and IP variables, but only changes the form of the rules
> to allow multiple addresses in the future.
>
> Signed-off-by: David L Stevens <dlstevens at us.ibm.com>
> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
> index e0c2fb6..31199cb 100644
> --- a/src/conf/nwfilter_conf.c
> +++ b/src/conf/nwfilter_conf.c
> @@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_NWFILTER_EBTABLES_TABLE_LAST,
>
> VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
> "root",
> - "arp",
> + "mac",
> + "arpmac",
> + "arpip",
> "rarp",
> "ipv4",
> "ipv6");
> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
> index c96851a..17e954e 100644
> --- a/src/conf/nwfilter_conf.h
> +++ b/src/conf/nwfilter_conf.h
> @@ -428,7 +428,9 @@ struct _virNWFilterEntry {
>
> enum virNWFilterChainSuffixType {
> VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
> - VIR_NWFILTER_CHAINSUFFIX_ARP,
> + VIR_NWFILTER_CHAINSUFFIX_MAC,
> + VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
> + VIR_NWFILTER_CHAINSUFFIX_ARPIP,
> VIR_NWFILTER_CHAINSUFFIX_RARP,
> VIR_NWFILTER_CHAINSUFFIX_IPv4,
> VIR_NWFILTER_CHAINSUFFIX_IPv6,
This looks like it is breaking compatibility of NWFilter XML with
previously deployed libvirt releases.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list