[libvirt] [libvirt PATCHv3 05/10] allow chain modification
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon Oct 17 17:31:29 UTC 2011
On 10/17/2011 01:23 PM, David Stevens wrote:
> Stefan Berger<stefanb at linux.vnet.ibm.com> wrote on 10/17/2011 09:07:12
> AM:
>
>> On 10/12/2011 03:50 PM, David L Stevens wrote:
>>> This patch adds the internal capability to add rules to existing
>>> chains instead of using temporary chains and to generate placeholders
> for
>>> chains that are referenced without generating a rule for them
> immediately.
>>> Finally, it includes variable matching for filter instantiation
>>> (i.e., instantiate only when a given variable is present in a filter,
> or
>>> only when it is not).
>>>
>> Following the above I am not sure what this will be used for as part of
>> this extension.
> This is used to add rules to existing chains when a new IP address
> is
> discovered (i.e., a DHCP ACK from a server occurs). The existing code
> builds
> the entire chain as a temporary chain and then swaps it in, which is only
> appropriate at start-up. For DHCP snooping, we want to add and remove
> rules
> that reference "IP" using a particular value (the address for the ACK or
> lease expiration) without affecting other rules that don't reference IP or
> have a different address value. "removeRules" was already there, but
> "addRules"
> was not.
Yes, then I understood this correctly. See the other mails regarding the
problems I am seeing with it. If there was a way to figure out at what
position to insert a rule into an existing chain, i.e. at position 5,
rather than always at the end, we could use this addRules() call,
otherwise I find it very limiting.
Stefan
> +-DLS
>
More information about the libvir-list
mailing list