On 10/06/2010 12:56 PM, Stefan Berger wrote:
+ <h3><a name="nwfwriteexample2nd">Second example custom filter</a></h3> + <p> + In this example we now want to build a similar filter as in the + example above, but extend the list of requirements with an + ftp server located inside the VM. Further, we will be using features + that have been added in <span class="since">version 0.8.5</span>. + The requirements for this filter shall be:
s/shall be/are/
+ The 1st solution makes use of the <code>state</code> attribute of + the TCP protocol that gives us a hook into the connection tracking + framework of the Linux host. For the VM-initiated ftp data connection + (ftp active mode) we use the <code>RELATED</code> state that allows + us to detect that the VM-initated ftp data connection is a consequence of
s/initated/initiated/
+ ( or 'has a relationship with' ) an existing ftp control connection, + thus we want to allow it to let packets + pass the firewall. The <code>RELATED</code> state, however, is only + valid for the very first packet of the outgoing TCP connection for the + ftp data path. Afterwards, the state to compare against is + <code>ESTABLISHED</code>, which then applies equally + to the incoming and outgoing direction. All this is related to the ftp + data traffic origination from TCP port 20 of the VM. This then leads to
s/origination/originating/
+ <p> + Before trying out a filter using the <code>RELATED</code> state, + you have to make sure that the approriate connection tracking module
s/approriate/appropriate/ Other than those nits, looks good to me. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list