mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-09 17:24:53 +00:00
51d3fb0276
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test case.
23 lines
793 B
XML
23 lines
793 B
XML
<filter name='testcase' chain='root'>
|
|
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
|
|
<rule action='accept' direction='out'>
|
|
<tcp srcmacaddr='1:2:3:4:5:6'
|
|
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
|
|
dscp='2'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' statematch='false'>
|
|
<tcp srcmacaddr='1:2:3:4:5:6'
|
|
srcipaddr='10.1.2.3' srcipmask='32'
|
|
dscp='33'
|
|
srcportstart='20' srcportend='21'
|
|
dstportstart='100' dstportend='1111'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' statematch='0'>
|
|
<tcp srcmacaddr='1:2:3:4:5:6'
|
|
srcipaddr='10.1.2.3' srcipmask='32'
|
|
dscp='63'
|
|
srcportstart='255' srcportend='256'
|
|
dstportstart='65535' dstportend='65536'/>
|
|
</rule>
|
|
</filter>
|