[libvirt] [libvirt PATCHv3 04/10] make default chain policy "DROP"
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon Oct 17 15:50:14 UTC 2011
On 10/12/2011 03:50 PM, David L Stevens wrote:
> This patch simplifies the table rules by setting the protocol chains
> policy to be "DROP" and removes the explicit "-j DROP" entries that the
> protocol rules had previously. It also makes "no-other-rarp-traffic.xml"
> obsolete.
I agree with Daniel's previous comments that this could introduce
compatibility problems. It would be best not to change it or if really
need be later on introduce an XML attribute for a chain that allows to
choose whether the default policy is accept or drop.
Stefan
> Signed-off-by: David L Stevens<dlstevens at us.ibm.com>
> ---
> examples/xml/nwfilter/Makefile.am | 1 -
> examples/xml/nwfilter/no-arpip-spoofing.xml | 2 --
> examples/xml/nwfilter/no-arpmac-spoofing.xml | 2 --
> examples/xml/nwfilter/no-ip-spoofing.xml | 2 --
> examples/xml/nwfilter/no-mac-spoofing.xml | 2 --
> examples/xml/nwfilter/no-other-rarp-traffic.xml | 3 ---
> examples/xml/nwfilter/qemu-announce-self.xml | 1 -
> src/nwfilter/nwfilter_ebiptables_driver.c | 11 +----------
> 8 files changed, 1 insertions(+), 23 deletions(-)
> delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml
>
> diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
> index 84aaa3c..67085fa 100644
> --- a/examples/xml/nwfilter/Makefile.am
> +++ b/examples/xml/nwfilter/Makefile.am
> @@ -18,7 +18,6 @@ FILTERS = \
> no-mac-broadcast.xml \
> no-mac-spoofing.xml \
> no-other-l2-traffic.xml \
> - no-other-rarp-traffic.xml \
> qemu-announce-self.xml \
> qemu-announce-self-rarp.xml
>
> diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml b/examples/xml/nwfilter/no-arpip-spoofing.xml
> index ee42d40..7ef6f0f 100644
> --- a/examples/xml/nwfilter/no-arpip-spoofing.xml
> +++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
> @@ -7,6 +7,4 @@
> <rule action='return' direction='out' priority='410'>
> <arp match='yes' arpsrcipaddr='0.0.0.0' />
> </rule>
> -<!-- drop everything else -->
> -<rule action='drop' direction='out' priority='1000' />
> </filter>
> diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml b/examples/xml/nwfilter/no-arpmac-spoofing.xml
> index 90499d3..3834047 100644
> --- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
> +++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
> @@ -2,6 +2,4 @@
> <rule action='return' direction='out' priority='350'>
> <arp match='yes' arpsrcmacaddr='$MAC'/>
> </rule>
> -<!-- drop everything else -->
> -<rule action='drop' direction='out' priority='1000' />
> </filter>
> diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
> index 84e8a5e..2fccd12 100644
> --- a/examples/xml/nwfilter/no-ip-spoofing.xml
> +++ b/examples/xml/nwfilter/no-ip-spoofing.xml
> @@ -4,6 +4,4 @@
> <rule action='return' direction='out'>
> <ip match='yes' srcipaddr='$IP' />
> </rule>
> -<!-- drop any that don't match the source IP list -->
> -<rule action='drop' direction='out' />
> </filter>
> diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
> index aee56c7..e2e8c03 100644
> --- a/examples/xml/nwfilter/no-mac-spoofing.xml
> +++ b/examples/xml/nwfilter/no-mac-spoofing.xml
> @@ -4,6 +4,4 @@
> <rule action='return' direction='out' priority='350'>
> <mac match='yes' srcmacaddr='$MAC'/>
> </rule>
> -<!-- drop everything else -->
> -<rule action='drop' direction='out' priority='1000' />
> </filter>
> diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml b/examples/xml/nwfilter/no-other-rarp-traffic.xml
> deleted file mode 100644
> index 7729996..0000000
> --- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
> +++ /dev/null
> @@ -1,3 +0,0 @@
> -<filter name='no-other-rarp-traffic' chain='rarp'>
> -<rule action='drop' direction='inout' priority='1000'/>
> -</filter>
> diff --git a/examples/xml/nwfilter/qemu-announce-self.xml b/examples/xml/nwfilter/qemu-announce-self.xml
> index 352db50..12957b5 100644
> --- a/examples/xml/nwfilter/qemu-announce-self.xml
> +++ b/examples/xml/nwfilter/qemu-announce-self.xml
> @@ -8,6 +8,5 @@
>
> <!-- accept if it was changed to rarp -->
> <filterref filter='qemu-announce-self-rarp'/>
> -<filterref filter='no-other-rarp-traffic'/>
>
> </filter>
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
> index 3c6fca7..e6a4880 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -2791,7 +2791,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
> protostr[0] = '\0';
>
> virBufferAsprintf(buf,
> - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
> + CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
> CMD_EXEC
> "%s"
> CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
> @@ -3015,15 +3015,6 @@ ebtablesApplyBasicRules(const char *ifname,
>
> PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
> virBufferAsprintf(&buf,
> - CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
> - CMD_EXEC
> - "%s",
> -
> - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
> - chain, macaddr_str,
> - CMD_STOPONERR(1));
> -
> - virBufferAsprintf(&buf,
> CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR
> CMD_EXEC
> "%s",
More information about the libvir-list
mailing list