Commit Graph

10 Commits

Author SHA1 Message Date
Stefan Berger
fcb0e8c227 nwfilter: enable filtering of gratuitous ARP packets
This patch enables filtering of gratuitous ARP packets using the following XML:

<rule action='accept' direction='in' priority='425'>
<arp gratuitous='true'/>
</rule>
2011-05-23 19:41:18 -04:00
Stefan Berger
6ab24feb44 nwfilters: support for TCP flags evaluation
This patch adds support for the evaluation of TCP flags in nwfilters.

It adds documentation to the web page and extends the tests as well.
Also, the nwfilter schema is extended.

The following are some example for rules using the tcp flags:

<rule action='accept' direction='in'>
    <tcp state='NONE' flags='SYN/ALL' dsptportstart='80'/>
</rule>
<rule action='drop' direction='in'>
    <tcp state='NONE' flags='SYN/ALL'/>
</rule>
2011-04-07 20:13:38 -04:00
Stefan Berger
5c6405a058 nwfilter: Add test case for testing the state attribute
This patch adds a test case for testing the XML parser's and instantiator's
support of the state attribute. The other test case tests existing
capabilities. Both test cases will be used in TCK again.
2010-10-07 06:43:35 -04:00
Stefan Berger
f095424600 nwfilter: Add a test case for testing the comment attribute
This patch adds a test case for testing the XML parser's and instantiator's
support of the comment attribute.
2010-09-30 16:09:04 -04:00
Stefan Berger
51d3fb0276 nwfilter: add XML attribute to control iptables state match
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).

[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
           srcipaddr='10.1.2.3' srcipmask='32'
           dscp='33'
           srcportstart='20' srcportend='21'
           dstportstart='100' dstportend='1111'/>
</rule>
[...]

I am also extending the nwfilter schema and add this attribute to a test case.
2010-06-17 14:12:34 -04:00
Stefan Berger
aea68ce906 nwfilter: add support for RAPR protocol
This patch adds support for the RARP protocol. This may be needed due to
qemu sending out a RARP packet (at least that's what it seems to want to
do even though the protocol id is wrong) when migration finishes and
we'd need a rule to let the packets pass.

Unfortunately my installation of ebtables does not understand -p RARP
and also seems to otherwise depend on strings in /etc/ethertype
translated to protocol identifiers. Therefore I need to pass -p 0x8035
for RARP. To generally get rid of the dependency of that file I switch
all so far supported protocols to use their protocol identifier in the
-p parameter rather than the string.

I am also extending the schema and added a test case.

changes from v1 to v2:
- added test case into patch
2010-04-27 07:26:12 -04:00
Stefan Berger
5c7c755f50 nwfilter: enable hex number inputs in filter XML
With this patch I want to enable hex number inputs in the filter XML. A
number that was entered as hex is also printed as hex unless a string
representing the meaning can be found.

I am also extending the schema and adding a test case. A problem with
the DSCP value is fixed on the way as well.

Changes from V1 to V2:

- using asHex boolean in all printf type of functions to select the
output format in hex or decimal format
2010-04-26 13:50:40 -04:00
Stefan Berger
9db01465e5 nwfilter: extend schema + add testcase w/ connlimit-above
I am extending the schema with the recently added connlimit-above
attribute and adding a test case for it to the test suite.
2010-04-23 11:42:39 -04:00
Stefan Berger
b5cc01ef2e nwfilter: More XML parser test cases
This patch adds a couple more nwfilter test cases for the XML parser tests.
2010-04-09 07:25:02 -04:00
Stefan Berger
8459218cbc This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
2010-04-02 13:28:28 -04:00