Daniel Veillard <veillard@xxxxxxxxxx> wrote on 03/30/2010 10:02:09 AM:
>
> Please respond to veillard
>
> On Fri, Mar 26, 2010 at 04:41:19PM -0400, Stefan Berger wrote:
> > This patch adds IPv6 filtering support for the following protocols:
> > - tcp-ipv6
> > - udp-ipv6
> > - udplite-ipv6
> > - esp-ipv6
> > - ah-ipv6
> > - sctp-ipv6
> > - all-ipv6
> > - icmpv6
> >
> >
> > Many of the IPv4 data structure could be re-used for IPv6 support.
> > Since ip6tables also supports pretty much the same command line parameters
> > as iptables does, also much of the code could be re-used and now
> > command lines are invoked with the ip(6)tables tool parameter passed
> > through the functions as a parameter.
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
> >
> >
> > ---
> > configure.ac | 3
> > src/conf/nwfilter_conf.c | 165 +++++++++++++++--
> > src/conf/nwfilter_conf.h | 8
> > src/nwfilter/nwfilter_ebiptables_driver.c | 287 ++++++++++++++++
> ++++++--------
> > src/nwfilter/nwfilter_ebiptables_driver.h | 2
> > 5 files changed, 370 insertions(+), 95 deletions(-)
> >
> > Index: libvirt-acl/configure.ac
> > ===================================================================
> > --- libvirt-acl.orig/configure.ac
> > +++ libvirt-acl/configure.ac
> > @@ -300,6 +300,9 @@ AC_DEFINE_UNQUOTED([BASH_PATH], "$BASH_P
> > AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/
> sbin:$PATH])
> > AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to
> iptables binary])
> >
> > +AC_PATH_PROG([IP6TABLES_PATH], [ip6tables], /sbin/ip6tables, [/
> usr/sbin:$PATH])
> > +AC_DEFINE_UNQUOTED([IP6TABLES_PATH], "$IP6TABLES_PATH", [path to
> ip6tables binary])
> > +
> > AC_PATH_PROG([EBTABLES_PATH], [ebtables], /sbin/ebtables, [/usr/
> sbin:$PATH])
> > AC_DEFINE_UNQUOTED([EBTABLES_PATH], "$EBTABLES_PATH", [path to
> ebtables binary])
>
> The patch looks fine, based on the existing code, but I'm a bit
> surprized by the fact that while there is a lookup for
> ip6tables/iptables at configure time, i.e. when it's compiled, there
> is no check at runtime to verify that the binaries which were detected
> then are actually available on the target.
> I think some of this should be relaxed like we do for other commands
> launched at runtime and somehow we should instead use
> virFindFileInPath() from util.h
> to find the location of the preferred ip[6]tables.
I followed a previous example of what was originally ebtables that's detected like this as well. Sure, this can be changed to rely on the function you are mentioning.
Pushed.
Regards,
Stefan
>
> ACK,
>
> Daniel
>
> --
> Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
> daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/
> http://veillard.com/ | virtualization library http://libvirt.org/
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list