External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-11 12:25:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
1cdaebf237
libvirt/tests/nwfilterxml2xmlin
History
Stefan Berger a3f3ab4c9c nwfilter: Add support for ipset 
This patch adds support for the recent ipset iptables extension
to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets'
of IP addresses, ports and other packet parameters and allows for
faster lookup (in the order of O(1) vs. O(n)) and rule evaluation
to achieve higher throughput than what can be achieved with
individual iptables rules.

On the command line iptables supports ipset using

iptables ... -m set --match-set <ipset name> <flags> -j ...

where 'ipset name' is the name of a previously created ipset and
flags is a comma-separated list of up to 6 flags. Flags use 'src' and 'dst'
for selecting IP addresses, ports etc. from the source or
destination part of a packet. So a concrete example may look like this:

iptables -A INPUT -m set --match-set test src,src -j ACCEPT

Since ipset management is quite complex, the idea was to leave ipset 
management outside of libvirt but still allow users to reference an ipset.
The user would have to make sure the ipset is available once the VM is
started so that the iptables rule(s) referencing the ipset can be created.

Using XML to describe an ipset in an nwfilter rule would then look as
follows:

  <rule action='accept' direction='in'>
    <all ipset='test' ipsetflags='src,src'/>
  </rule>

The two parameters on the command line are also the two distinct XML attributes
'ipset' and 'ipsetflags'.

FYI: Here is the man page for ipset:

https://ipset.netfilter.org/ipset.man.html

Regards,
    Stefan
2012-05-21 06:26:34 -04:00
..
ah-ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
ah-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
all-ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
all-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
arp-test.xml nwfilter: enable filtering of gratuitous ARP packets 2011-05-23 19:41:18 -04:00
attr-value-test.xml Add test cases for parsing of list values 2011-11-18 11:58:18 -05:00
chain_prefixtest1.xml Add test cases 2011-11-18 11:58:18 -05:00
comment-test.xml nwfilter: Add a test case for testing the comment attribute 2010-09-30 16:09:04 -04:00
conntrack-test.xml nwfilter: extend schema + add testcase w/ connlimit-above 2010-04-23 11:42:39 -04:00
esp-ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
esp-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
example-1.xml nwfilter: Add test case for testing the state attribute 2010-10-07 06:43:35 -04:00
example-2.xml nwfilter: Add test case for testing the state attribute 2010-10-07 06:43:35 -04:00
hex-data-test.xml nwfilter: enable hex number inputs in filter XML 2010-04-26 13:50:40 -04:00
icmp-direction2-test.xml nwfilter: More XML parser test cases 2010-04-09 07:25:02 -04:00
icmp-direction3-test.xml nwfilter: More XML parser test cases 2010-04-09 07:25:02 -04:00
icmp-direction-test.xml nwfilter: More XML parser test cases 2010-04-09 07:25:02 -04:00
icmp-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
icmpv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
igmp-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
ip-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
ipset-test.xml nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
ipt-no-macspoof-test.xml nwfilter: More XML parser test cases 2010-04-09 07:25:02 -04:00
ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
iter-test1.xml Add test cases for new ways to access variables in filters 2012-01-11 06:42:37 -05:00
iter-test2.xml Add test cases for new ways to access variables in filters 2012-01-11 06:42:37 -05:00
iter-test3.xml Add test cases for new ways to access variables in filters 2012-01-11 06:42:37 -05:00
mac-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
rarp-test.xml nwfilter: add support for RAPR protocol 2010-04-27 07:26:12 -04:00
ref-rule-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
ref-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
sctp-ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
sctp-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
stp-test.xml Add test cases for STP traffic filtering 2011-11-22 15:12:03 -05:00
tcp-ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
tcp-test.xml nwfilters: support for TCP flags evaluation 2011-04-07 20:13:38 -04:00
udp-ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
udp-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
udplite-ipv6-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
udplite-test.xml This patch adds a couple of test cases for the XML parsing test suite covering various filterable protocols. For each test case an input XML and an output XML is provided checking the input XML after parsing and converting back into XML against the exepcted output XML. 2010-04-02 13:28:28 -04:00
vlan-test.xml Add test cases for VLAN traffic filtering 2011-11-19 07:26:56 -05:00