This patch adds an optional XML attribute to a nwfilter rule to give the
user control over whether the rule is supposed to be using the match
target or not. A rule may now look like as follows with the nomatch
attribute either having value '1' or 'true' (case-insensitive).
[...]
<rule action='accept' direction='in' nomatch='true'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test
case.
Signed-off-by: Stefan Berger
---
docs/schemas/nwfilter.rng | 10 ++++++++++
src/conf/nwfilter_conf.c | 9 +++++++++
src/conf/nwfilter_conf.h | 5 +++++
src/nwfilter/nwfilter_ebiptables_driver.c | 3 +++
tests/nwfilterxml2xmlin/tcp-test.xml | 4 ++--
tests/nwfilterxml2xmlout/tcp-test.xml | 4 ++--
6 files changed, 31 insertions(+), 4 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDe
needState = 0;
}
+ if ((rule->flags & RULE_FLAG_NO_MATCH))
+ needState = 0;
+
chainPrefix[0] = 'F';
maySkipICMP = directionIn || inout;
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node)
char *action;
char *direction;
char *prio;
+ char *nomatch;
int found;
int found_i = 0;
unsigned int priority;
@@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node)
action = virXMLPropString(node, "action");
direction = virXMLPropString(node, "direction");
prio = virXMLPropString(node, "priority");
+ nomatch = virXMLPropString(node, "nomatch");
if (!action) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1633,6 +1635,9 @@ virNWFilterRuleParse(xmlNodePtr node)
}
}
+ if (nomatch && (STREQ(nomatch, "1") || STRCASEEQ(nomatch, "true")))
+ ret->flags |= RULE_FLAG_NO_MATCH;
+
cur = node->children;
found = 0;
@@ -1677,6 +1682,7 @@ cleanup:
VIR_FREE(prio);
VIR_FREE(action);
VIR_FREE(direction);
+ VIR_FREE(nomatch);
return ret;
@@ -2532,6 +2538,9 @@ virNWFilterRuleDefFormat(virNWFilterRule
virNWFilterRuleDirectionTypeToString(def->tt),
def->priority);
+ if ((def->flags * RULE_FLAG_NO_MATCH))
+ virBufferAddLit(&buf, " nomatch='1'");
+
i = 0;
while (virAttr[i].id) {
if (virAttr[i].prtclType == def->prtclType) {
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType {
# define MAX_RULE_PRIORITY 1000
+enum virNWFilterRuleFlags {
+ RULE_FLAG_NO_MATCH = (1 << 0),
+};
+
typedef struct _virNWFilterRuleDef virNWFilterRuleDef;
typedef virNWFilterRuleDef *virNWFilterRuleDefPtr;
struct _virNWFilterRuleDef {
unsigned int priority;
+ enum virNWFilterRuleFlags flags;
int action; /*enum virNWFilterRuleActionType*/
int tt; /*enum virNWFilterRuleDirectionType*/
enum virNWFilterRuleProtocolType prtclType;
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -299,6 +299,11 @@
<ref name='priority-type'/>
</attribute>
</optional>
+ <optional>
+ <attribute name="nomatch">
+ <ref name='nomatch-type'/>
+ </attribute>
+ </optional>
</define>
<define name="match-attribute">
@@ -816,4 +821,9 @@
<param name="maxInclusive">1000</param>
</data>
</define>
+ <define name='nomatch-type'>
+ <data type="string">
+ <param name="pattern">([Tt][Rr][Uu][Ee]|1)</param>
+ </data>
+ </define>
</grammar>
Index: libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmlin/tcp-test.xml
+++ libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml
@@ -5,14 +5,14 @@
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
- <rule action='accept' direction='in'>
+ <rule action='accept' direction='in' nomatch='true'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
- <rule action='accept' direction='in'>
+ <rule action='accept' direction='in' nomatch='1'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
Index: libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmlout/tcp-test.xml
+++ libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml
@@ -3,10 +3,10 @@
<rule action='accept' direction='out' priority='500'>
<tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32'
dscp='2'/>
</rule>
- <rule action='accept' direction='in' priority='500'>
+ <rule action='accept' direction='in' priority='500' nomatch='1'>
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32'
dscp='33' srcportstart='20' srcportend='21' dstportstart='100'
dstportend='1111'/>
</rule>
- <rule action='accept' direction='in' priority='500'>
+ <rule action='accept' direction='in' priority='500' nomatch='1'>
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32'
dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/>
</rule>
</filter>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list