[libvirt] [libvirt PATCHv3 04/10] make default chain policy "DROP"

David Stevens dlstevens at us.ibm.com
Mon Oct 17 17:04:21 UTC 2011 

Stefan Berger <stefanb at linux.vnet.ibm.com> wrote on 10/17/2011 08:50:14 
AM:


> I agree with Daniel's previous comments that this could introduce 
> compatibility problems. It would be best not to change it or if really 
> need be later on introduce an XML attribute for a chain that allows to 
> choose whether the default policy is accept or drop.

        This is not a functional change. With the multiple address
support, literally all of the chains in question end with "-j DROP".
By changing the default policy to "DROP", it removes the requirement
to have the "-j DROP"  _at_the_end_, which makes appending new rules
without reference to a priority easier.
        I think the real sticking point here is whether we consider
the existing standard chains as immutable. If, for compatibility's sake,
we keep address matching as:

        if ($IP != ADDRESS) DROP
        ACCEPT

then we cannot support multiple IP addresses. If we change this to:

        if ($IP == ADDRESS1) RETURN
        if ($IP == ADDRESS2) RETURN
        ...
        DROP

all of the standard chains end in "-j DROP" and making the policy
be DROP expresses exactly the same thing with one less rule per chain.
This also allows appending more allowed addresses without using a
priority to ensure that "-j DROP" is last.
        Any customization to the old filters that do "DROP" or "ACCEPT"
will still work and "RETURN" and "CONTINUE" were not supported before,
so the default, whether done by "-j DROP/ACCEPT" or the policy, don't
matter-- the custom rule will behave as it does now. It's just that
that "DROP/ACCEPT" will bypass subsequent checks that are now possible
if doing "RETURN/CONTINUE" instead.
        But, of course, *any* change to the standard filters requires
a review of custom filters that link into them or modify them.

        I think maintaining this level of compatibility simply means
we cannot support multiple addresses. Doing that obviously requires
changing the existing address matching filters, which therefore can't
be linked in in identically the same way. However, I think any
existing customization is trivial to apply after, too. Perhaps an
example filter that causes a problem?

                                                        +-DLS

More information about the libvir-list mailing list