diff options
| author |   Stefan Berger <stefanb@linux.vnet.ibm.com> | 2011-11-18 11:58:18 -0500 |
|---|---|---|
| committer |   Stefan Berger <stefanb@us.ibm.com> | 2011-11-18 11:58:18 -0500 |
| commit | ea7c73a76f63a88a34bc06649f3d7f934fd0a18f (patch) | |
| tree | e9d91cd080b53eb3155f1f9252c42a41615f0279 /src/conf/nwfilter_conf.h | |
| parent | Extend the filter XML to support priorities of chains (diff) | |
| download | libvirt-ea7c73a76f63a88a34bc06649f3d7f934fd0a18f.tar.gz libvirt-ea7c73a76f63a88a34bc06649f3d7f934fd0a18f.tar.bz2 libvirt-ea7c73a76f63a88a34bc06649f3d7f934fd0a18f.zip | |
Enable chains with names having a known prefix
This patch enables chains that have a known prefix in their name.
Known prefixes are: 'ipv4', 'ipv6', 'arp', 'rarp'. All prefixes
are also protocols that can be evaluated on the ebtables level.
Following the prefix they will be automatically connected to an interface's
'root' chain and jumped into following the protocol they evaluate, i.e.,
a table 'arp-xyz' will be accessed from the root table using
ebtables -t nat -A <iface root table> -p arp -j I-<ifname>-arp-xyz
thus generating a 'root' chain like this one here:
Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p ARP -j O-vnet0-arp
-p 0x8035 -j O-vnet0-rarp
-p ARP -j O-vnet0-arp-xyz
-j DROP
where the chain 'arp-xyz' is accessed for filtering of ARP packets.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Diffstat (limited to 'src/conf/nwfilter_conf.h')
| -rw-r--r-- | src/conf/nwfilter_conf.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index 0ff14d143..55b2aad35 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -446,6 +446,9 @@ enum virNWFilterChainSuffixType { VIR_NWFILTER_CHAINSUFFIX_LAST, }; +# define VALID_CHAINNAME \ + "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.:-" + typedef int32_t virNWFilterChainPriority; typedef struct _virNWFilterDef virNWFilterDef; |