support continue/return targets in nwfilter

This patch adds support for "continue" and "return" actions in filter rules. Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
2024-12-22 21:55:25 +00:00 · 2011-10-18 12:55:25 -07:00 · 2011-10-18 12:55:25 -07:00 · a61e9ff60d
commit a61e9ff60d
parent e36da1bd8a
4 changed files with 22 additions and 7 deletions
--- a/1
+++ b/1
@ -198,6 +198,7 @@ Patches have also been contributed by:
  Tang Chen            <tangchen@cn.fujitsu.com>
  Dan Horák            <dan@danny.cz>
  Sage Weil            <sage@newdream.net>
+  David L Stevens      <dlstevens@us.ibm.com>

  [....send patches to get your name here....]

--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@ -258,11 +258,19 @@
    </p>
    <ul>
     <li>
-        action -- mandatory; must either be <code>drop</code>,
-        <code>reject</code><span class="since">(since 0.9.0)</span>,
-        or <code>accept</code> if
-        the evaluation of the filtering rule is supposed to drop,
-        reject (using ICMP message), or accept a packet
+        action -- mandatory; must either be <code>drop</code>
+        (matching the rule silently discards the packet with no
+        further analysis),
+        <code>reject</code> (matching the rule generates an ICMP
+        reject message with no further analysis) <span class="since">(since
+        0.9.0)</span>, <code>accept</code> (matching the rule accepts
+        the packet with no further analysis), <code>return</code>
+        (matching the rule passes this filter, but returns control to
+        the calling filter for further
+        analysis) <span class="since">(since 0.9.7)</span>,
+        or <code>continue<code> (matching the rule goes on to the next
+        rule for further analysis) <span class="since">(since
+        0.9.7)</span>.
     </li>
     <li>
        direction -- mandatory; must either be <code>in</code>, <code>out</code> or
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@ -55,12 +55,16 @@
 VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST,
              "drop",
              "accept",
-              "reject");
+              "reject",
+              "return",
+              "continue");

 VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST,
              "DROP",
              "ACCEPT",
-              "REJECT");
+              "REJECT",
+              "RETURN",
+              "CONTINUE");

 VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST,
              "in",
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@ -299,6 +299,8 @@ enum virNWFilterRuleActionType {
    VIR_NWFILTER_RULE_ACTION_DROP = 0,
    VIR_NWFILTER_RULE_ACTION_ACCEPT,
    VIR_NWFILTER_RULE_ACTION_REJECT,
+    VIR_NWFILTER_RULE_ACTION_RETURN,
+    VIR_NWFILTER_RULE_ACTION_CONTINUE,

    VIR_NWFILTER_RULE_ACTION_LAST,
 };