diff options
author | Stefan Berger <stefanb@us.ibm.com> | 2010-06-17 14:12:34 -0400 |
---|---|---|
committer | Stefan Berger <stefanb@us.ibm.com> | 2010-06-17 14:12:34 -0400 |
commit | 51d3fb02768bb10fbba70e9c4466456c0488ced6 (patch) | |
tree | d0c56629276a39b588597aa54230e91317146012 | |
parent | virsh: ensure persistence and autostart are shown for dominfo and pool-info (diff) | |
download | libvirt-51d3fb02768bb10fbba70e9c4466456c0488ced6.tar.gz libvirt-51d3fb02768bb10fbba70e9c4466456c0488ced6.tar.bz2 libvirt-51d3fb02768bb10fbba70e9c4466456c0488ced6.zip |
nwfilter: add XML attribute to control iptables state match
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test case.
-rw-r--r-- | docs/schemas/nwfilter.rng | 10 | ||||
-rw-r--r-- | src/conf/nwfilter_conf.c | 10 | ||||
-rw-r--r-- | src/conf/nwfilter_conf.h | 5 | ||||
-rw-r--r-- | src/nwfilter/nwfilter_ebiptables_driver.c | 3 | ||||
-rw-r--r-- | tests/nwfilterxml2xmlin/tcp-test.xml | 4 | ||||
-rw-r--r-- | tests/nwfilterxml2xmlout/tcp-test.xml | 4 |
6 files changed, 32 insertions, 4 deletions
diff --git a/docs/schemas/nwfilter.rng b/docs/schemas/nwfilter.rng index e8be9fce1..262e42010 100644 --- a/docs/schemas/nwfilter.rng +++ b/docs/schemas/nwfilter.rng @@ -299,6 +299,11 @@ <ref name='priority-type'/> </attribute> </optional> + <optional> + <attribute name="statematch"> + <ref name='statematch-type'/> + </attribute> + </optional> </define> <define name="match-attribute"> @@ -816,4 +821,9 @@ <param name="maxInclusive">1000</param> </data> </define> + <define name='statematch-type'> + <data type="string"> + <param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param> + </data> + </define> </grammar> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index fc6d4617b..fd3d80507 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node) char *action; char *direction; char *prio; + char *statematch; int found; int found_i = 0; unsigned int priority; @@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node) action = virXMLPropString(node, "action"); direction = virXMLPropString(node, "direction"); prio = virXMLPropString(node, "priority"); + statematch= virXMLPropString(node, "statematch"); if (!action) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -1633,6 +1635,10 @@ virNWFilterRuleParse(xmlNodePtr node) } } + if (statematch && + (STREQ(statematch, "0") || STRCASEEQ(statematch, "false"))) + ret->flags |= RULE_FLAG_NO_STATEMATCH; + cur = node->children; found = 0; @@ -1677,6 +1683,7 @@ cleanup: VIR_FREE(prio); VIR_FREE(action); VIR_FREE(direction); + VIR_FREE(statematch); return ret; @@ -2532,6 +2539,9 @@ virNWFilterRuleDefFormat(virNWFilterRuleDefPtr def) virNWFilterRuleDirectionTypeToString(def->tt), def->priority); + if ((def->flags & RULE_FLAG_NO_STATEMATCH)) + virBufferAddLit(&buf, " statematch='false'"); + i = 0; while (virAttr[i].id) { if (virAttr[i].prtclType == def->prtclType) { diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index b7b62adc3..99ef1d448 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType { # define MAX_RULE_PRIORITY 1000 +enum virNWFilterRuleFlags { + RULE_FLAG_NO_STATEMATCH = (1 << 0), +}; + typedef struct _virNWFilterRuleDef virNWFilterRuleDef; typedef virNWFilterRuleDef *virNWFilterRuleDefPtr; struct _virNWFilterRuleDef { unsigned int priority; + enum virNWFilterRuleFlags flags; int action; /*enum virNWFilterRuleActionType*/ int tt; /*enum virNWFilterRuleDirectionType*/ enum virNWFilterRuleProtocolType prtclType; diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 2fa78d065..fcd6c8c12 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, needState = 0; } + if ((rule->flags & RULE_FLAG_NO_STATEMATCH)) + needState = 0; + chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; diff --git a/tests/nwfilterxml2xmlin/tcp-test.xml b/tests/nwfilterxml2xmlin/tcp-test.xml index e3111e89e..3fe5299fb 100644 --- a/tests/nwfilterxml2xmlin/tcp-test.xml +++ b/tests/nwfilterxml2xmlin/tcp-test.xml @@ -5,14 +5,14 @@ dstipaddr='10.1.2.3' dstipmask='255.255.255.255' dscp='2'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' statematch='0'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' diff --git a/tests/nwfilterxml2xmlout/tcp-test.xml b/tests/nwfilterxml2xmlout/tcp-test.xml index a13afe149..4037808c4 100644 --- a/tests/nwfilterxml2xmlout/tcp-test.xml +++ b/tests/nwfilterxml2xmlout/tcp-test.xml @@ -3,10 +3,10 @@ <rule action='accept' direction='out' priority='500'> <tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' statematch='false'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' statematch='false'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/> </rule> </filter> |