mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-30 21:47:18 +00:00
51d3fb0276
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test case.
13 lines
725 B
XML
13 lines
725 B
XML
<filter name='testcase' chain='root'>
|
|
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
|
|
<rule action='accept' direction='out' priority='500'>
|
|
<tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500' statematch='false'>
|
|
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/>
|
|
</rule>
|
|
<rule action='accept' direction='in' priority='500' statematch='false'>
|
|
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/>
|
|
</rule>
|
|
</filter>
|