mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-03 07:33:50 +00:00
nwfilter: add XML attribute to control iptables state match
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test case.
This commit is contained in:
Stefan Berger
parent
c2160b137d
commit
51d3fb0276
@ -299,6 +299,11 @@
|
|||||||
<ref name='priority-type'/>
|
<ref name='priority-type'/>
|
||||||
</attribute>
|
</attribute>
|
||||||
</optional>
|
</optional>
|
||||||
|
<optional>
|
||||||
|
<attribute name="statematch">
|
||||||
|
<ref name='statematch-type'/>
|
||||||
|
</attribute>
|
||||||
|
</optional>
|
||||||
</define>
|
</define>
|
||||||
|
|
||||||
<define name="match-attribute">
|
<define name="match-attribute">
|
||||||
@ -816,4 +821,9 @@
|
|||||||
<param name="maxInclusive">1000</param>
|
<param name="maxInclusive">1000</param>
|
||||||
</data>
|
</data>
|
||||||
</define>
|
</define>
|
||||||
|
<define name='statematch-type'>
|
||||||
|
<data type="string">
|
||||||
|
<param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param>
|
||||||
|
</data>
|
||||||
|
</define>
|
||||||
</grammar>
|
</grammar>
|
||||||
|
|||||||
@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node)
|
|||||||
char *action;
|
char *action;
|
||||||
char *direction;
|
char *direction;
|
||||||
char *prio;
|
char *prio;
|
||||||
|
char *statematch;
|
||||||
int found;
|
int found;
|
||||||
int found_i = 0;
|
int found_i = 0;
|
||||||
unsigned int priority;
|
unsigned int priority;
|
||||||
@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node)
|
|||||||
action = virXMLPropString(node, "action");
|
action = virXMLPropString(node, "action");
|
||||||
direction = virXMLPropString(node, "direction");
|
direction = virXMLPropString(node, "direction");
|
||||||
prio = virXMLPropString(node, "priority");
|
prio = virXMLPropString(node, "priority");
|
||||||
|
statematch= virXMLPropString(node, "statematch");
|
||||||
|
|
||||||
if (!action) {
|
if (!action) {
|
||||||
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
|
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
@ -1633,6 +1635,10 @@ virNWFilterRuleParse(xmlNodePtr node)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (statematch &&
|
||||||
|
(STREQ(statematch, "0") || STRCASEEQ(statematch, "false")))
|
||||||
|
ret->flags |= RULE_FLAG_NO_STATEMATCH;
|
||||||
|
|
||||||
cur = node->children;
|
cur = node->children;
|
||||||
|
|
||||||
found = 0;
|
found = 0;
|
||||||
@ -1677,6 +1683,7 @@ cleanup:
|
|||||||
VIR_FREE(prio);
|
VIR_FREE(prio);
|
||||||
VIR_FREE(action);
|
VIR_FREE(action);
|
||||||
VIR_FREE(direction);
|
VIR_FREE(direction);
|
||||||
|
VIR_FREE(statematch);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
@ -2532,6 +2539,9 @@ virNWFilterRuleDefFormat(virNWFilterRuleDefPtr def)
|
|||||||
virNWFilterRuleDirectionTypeToString(def->tt),
|
virNWFilterRuleDirectionTypeToString(def->tt),
|
||||||
def->priority);
|
def->priority);
|
||||||
|
|
||||||
|
if ((def->flags & RULE_FLAG_NO_STATEMATCH))
|
||||||
|
virBufferAddLit(&buf, " statematch='false'");
|
||||||
|
|
||||||
i = 0;
|
i = 0;
|
||||||
while (virAttr[i].id) {
|
while (virAttr[i].id) {
|
||||||
if (virAttr[i].prtclType == def->prtclType) {
|
if (virAttr[i].prtclType == def->prtclType) {
|
||||||
|
|||||||
@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType {
|
|||||||
|
|
||||||
# define MAX_RULE_PRIORITY 1000
|
# define MAX_RULE_PRIORITY 1000
|
||||||
|
|
||||||
|
enum virNWFilterRuleFlags {
|
||||||
|
RULE_FLAG_NO_STATEMATCH = (1 << 0),
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
typedef struct _virNWFilterRuleDef virNWFilterRuleDef;
|
typedef struct _virNWFilterRuleDef virNWFilterRuleDef;
|
||||||
typedef virNWFilterRuleDef *virNWFilterRuleDefPtr;
|
typedef virNWFilterRuleDef *virNWFilterRuleDefPtr;
|
||||||
struct _virNWFilterRuleDef {
|
struct _virNWFilterRuleDef {
|
||||||
unsigned int priority;
|
unsigned int priority;
|
||||||
|
enum virNWFilterRuleFlags flags;
|
||||||
int action; /*enum virNWFilterRuleActionType*/
|
int action; /*enum virNWFilterRuleActionType*/
|
||||||
int tt; /*enum virNWFilterRuleDirectionType*/
|
int tt; /*enum virNWFilterRuleDirectionType*/
|
||||||
enum virNWFilterRuleProtocolType prtclType;
|
enum virNWFilterRuleProtocolType prtclType;
|
||||||
|
|||||||
@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
|
|||||||
needState = 0;
|
needState = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((rule->flags & RULE_FLAG_NO_STATEMATCH))
|
||||||
|
needState = 0;
|
||||||
|
|
||||||
chainPrefix[0] = 'F';
|
chainPrefix[0] = 'F';
|
||||||
|
|
||||||
maySkipICMP = directionIn || inout;
|
maySkipICMP = directionIn || inout;
|
||||||
|
|||||||
@ -5,14 +5,14 @@
|
|||||||
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
|
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
|
||||||
dscp='2'/>
|
dscp='2'/>
|
||||||
</rule>
|
</rule>
|
||||||
<rule action='accept' direction='in'>
|
<rule action='accept' direction='in' statematch='false'>
|
||||||
<tcp srcmacaddr='1:2:3:4:5:6'
|
<tcp srcmacaddr='1:2:3:4:5:6'
|
||||||
srcipaddr='10.1.2.3' srcipmask='32'
|
srcipaddr='10.1.2.3' srcipmask='32'
|
||||||
dscp='33'
|
dscp='33'
|
||||||
srcportstart='20' srcportend='21'
|
srcportstart='20' srcportend='21'
|
||||||
dstportstart='100' dstportend='1111'/>
|
dstportstart='100' dstportend='1111'/>
|
||||||
</rule>
|
</rule>
|
||||||
<rule action='accept' direction='in'>
|
<rule action='accept' direction='in' statematch='0'>
|
||||||
<tcp srcmacaddr='1:2:3:4:5:6'
|
<tcp srcmacaddr='1:2:3:4:5:6'
|
||||||
srcipaddr='10.1.2.3' srcipmask='32'
|
srcipaddr='10.1.2.3' srcipmask='32'
|
||||||
dscp='63'
|
dscp='63'
|
||||||
|
|||||||
@ -3,10 +3,10 @@
|
|||||||
<rule action='accept' direction='out' priority='500'>
|
<rule action='accept' direction='out' priority='500'>
|
||||||
<tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/>
|
<tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/>
|
||||||
</rule>
|
</rule>
|
||||||
<rule action='accept' direction='in' priority='500'>
|
<rule action='accept' direction='in' priority='500' statematch='false'>
|
||||||
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/>
|
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/>
|
||||||
</rule>
|
</rule>
|
||||||
<rule action='accept' direction='in' priority='500'>
|
<rule action='accept' direction='in' priority='500' statematch='false'>
|
||||||
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/>
|
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/>
|
||||||
</rule>
|
</rule>
|
||||||
</filter>
|
</filter>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user