mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-01 15:42:39 +00:00
6ab24feb44
This patch adds support for the evaluation of TCP flags in nwfilters.
It adds documentation to the web page and extends the tests as well.
Also, the nwfilter schema is extended.
The following are some example for rules using the tcp flags:
<rule action='accept' direction='in'>
<tcp state='NONE' flags='SYN/ALL' dsptportstart='80'/>
</rule>
<rule action='drop' direction='in'>
<tcp state='NONE' flags='SYN/ALL'/>
</rule>
25 lines
1.1 KiB
XML
25 lines
1.1 KiB
XML
<filter name='testcase' chain='root'>
|
|
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
|
|
<rule action='accept' direction='out' priority='500'>
|
|
<tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500' statematch='false'>
|
|
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500' statematch='false'>
|
|
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500'>
|
|
<tcp state='NONE' flags='SYN/ALL'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500'>
|
|
<tcp state='NONE' flags='SYN/SYN,ACK'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500'>
|
|
<tcp state='NONE' flags='RST/NONE'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500'>
|
|
<tcp state='NONE' flags='PSH/NONE'/>
|
|
</rule>
|
|
</filter>
|