[libvirt] [PATCH] nwfilter: fix typing error in filter

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Jan 11 20:40:10 UTC 2012 

On 01/11/2012 02:57 PM, Eric Blake wrote:
> On 01/11/2012 12:42 PM, Stefan Berger wrote:
>> Fix a typing error in the no-ip-spoofing filter.
>> Return DHCP request packets passing through this filter. Have
>> the user use another filter to actually allow DHCP requests to be
>> sent (action='accept').
>>
>> ---
>>   examples/xml/nwfilter/no-ip-spoofing.xml |    6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
>> ===================================================================
>> --- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml
>> +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
>> @@ -1,7 +1,7 @@
>> <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
>> -<!-- allow DHCP requests -->
>> -<rule action='accept' direction='out' priority='100'>
>> -<ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68'
>> srcportend='68'/>
>> +<!-- allow DHCP requests sent from 0.0.0.0 -->
>> +<rule action='return' direction='out' priority='100'>
> I see how the action='accept' vs. action='return' makes a difference
> here, if the user has other rules after calling this filter that they
> still want to use.

Right, that's the intention.

>> +<ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68'
>> dstportstart='67'/>
> but I'm a bit lost as to why srcportend='68' needs to be changed to
> dstportstart='67'.  Assuming you can explain this change, then

DHCP requests are sent from port 68 on the client to port 67 on the server.

> ACK.

Will push later today but will need to update TCK as well.


> Meanwhile, this file under examples/ differs from the text in
> formatnwfilter.html.in which also defines a filter named no-ip-spoofing;
> is that a discrepancy where the docs should be updated to accurately
> describe what is our best state-of-the-art in the examples, or is it
> something where we should just mention in the docs that the docs are
> shorter versions for discussion, and to see examples/ for a more
> complete version.  But fixing that can be a separate patch.
>
I'll look into that...

    Stefan

More information about the libvir-list mailing list