Re: Appending REJECT rules.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/18/2011 03:10 PM, Stephen O'Dor wrote:
> Greetings folks,

Hello, and sorry for the delayed response.  Looks like this fell through
the cracks, because it wasn't in traditional 'git format-patch' style.

> 
> I've patched the libvirt iptables interface to append it's REJECT
> rules rather than insert at the head. Idea being that I'm not the only
> person who usually puts the REJECTs at the end of a chain.
> 
> In my particular case any custom ACCEPT rules involving the bridge
> interfaces would get pushed below the rules that libvirt puts in to
> REJECT everything on the bridge interface.
> 
> I'm using the routed network mode, I have no idea if this hurts any
> other network mode.

Stefan is probably the best person to comment on whether this makes sense.

> 
> Thanks,
> 
> -Steve
> 
> 
> --- iptables.c  2011-02-28 23:03:32.000000000 -0800
> +++ iptables.c_new      2011-05-18 14:00:59.110855881 -0700
> @@ -51,7 +51,8 @@
> 
>  enum {
>      ADD = 0,
> -    REMOVE
> +    REMOVE,
> +    APPEND
>  };
> 
>  typedef struct
> @@ -111,7 +112,7 @@
>                          ? IP6TABLES_PATH : IPTABLES_PATH);
> 
>      virCommandAddArgList(cmd, "--table", rules->table,
> -                         action == ADD ? "--insert" : "--delete",
> +                         action == ADD ? "--insert" : action ==
> REMOVE ? "--delete" : "--append",
>                           rules->chain, arg, NULL);
> 
>      va_start(args, arg);
> @@ -666,7 +667,7 @@
>                              int family,
>                              const char *iface)
>  {
> -    return iptablesForwardRejectOut(ctx, family, iface, ADD);
> +    return iptablesForwardRejectOut(ctx, family, iface, APPEND);
>  }
> 
>  /**
> @@ -722,7 +723,7 @@
>                             int family,
>                             const char *iface)
>  {
> -    return iptablesForwardRejectIn(ctx, family, iface, ADD);
> +    return iptablesForwardRejectIn(ctx, family, iface, APPEND);
>  }
> 
>  /**
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]