[libvirt] [PATCH V2 00/10] Make inner workings of nwfilters more flexible + extensions

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Oct 19 17:22:49 UTC 2011


The following series of patches re-does some of the inner workings
of nwfilters with the goal to enable users to write filters that have other
than the system-known chains supported right now ('root','arp','rarp','ipv4'
and 'ipv6'). Ideally users should be able to provide a chain name in the
chains XML attribute and either be able to jump to it as an 'action' or 
have the chain created automatically as it is the case right now for those
chains enumerated before. The latter is now added in this patch series
as well.

I am first introducing internal priorities for the chains mentioned above so
that their creation can be made more flexible -- currently their creation and
the order in which they are accessed is hardcoded. This largely does away
with the hardcoded stuff. All assigned priorities have negative values.
Later on the priorities for the chains are made accessible via an XML
attribute.

Further, filters will be automatically accessed from the (ebtables)
interface 'root' chain using the prefix of the name of the chain. As an
example, the following filter will be accessed from the root chain for 'arp'
packets since its name 'arp-xyz' has the prefix 'arp'.

<filter name='test-arp-xyz' chain='arp-xyz' priority='-650'>
  <uuid>94abeecc-c956-0ac8-1f49-a06ee8995688</uuid>
  <rule action='accept' direction='out' priority='100'>
    <arp opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
         arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
  </rule>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

In another step the priorities of rules is extended to also allow negativ
values. This then allows the creation of rules and chains in the interface
'root' chain to be mixed so that the following layout becomes possible:

Bridge chain: libvirt-I-vnet0, entries: 6, policy: ACCEPT
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arp
-p ARP -j ACCEPT 
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT 
-j DROP 

In the above list of rules the '-p ARP -j ACCEPT' can now be found in
between the 'jumps' to protocol-specific chains, which allows for more
efficient rule evaluation.

I did testing with the test cases in libvirt-tck as well as those in
the tests/ directory and did not see any regressions.

Regards,
    Stefan




More information about the libvir-list mailing list