[PATCH V1 6/6] Example of adding a new filter called arpmac.

Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> · Mon, 17 Oct 2011 10:42:53 -0400

Only as an example show how to add a new 'system filter' called 'arpmac'.
Using 'prefix matching' introduced in previous patches, it generates
a table 'arpmac' that will be jumped into using '-p arp'.

The below patch adds arpmac with a priority of 650, which helps sorting
its entry in the 'root' table.

Since previous code still doesn't allow arbitrary names we still need to
add its name to the virNWFilerChainSuffixType and the list of strings.

This patch would enable the following filter using the 'arpmac' chain.

<filter name='allow-arpmac' chain='arpmac'>
  <uuid>94abeecc-c956-0ac8-1f49-a06ee8995688</uuid>
  <rule action='accept' direction='out' priority='100'>
    <arp opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
  </rule>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

---
 src/conf/nwfilter_conf.c |    5 ++++-
 src/conf/nwfilter_conf.h |    1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================

--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -81,7 +81,8 @@ VIR_ENUM_IMPL(virNWFilterChainSuffix, VI
               "arp",
               "rarp",
               "ipv4",
-              "ipv6");
+              "ipv6",
+              "arpmac");
 
 VIR_ENUM_IMPL(virNWFilterRuleProtocol, VIR_NWFILTER_RULE_PROTOCOL_LAST,
               "none",
@@ -124,6 +125,7 @@ struct int_map {
 #define NWFILTER_IPV4_FILTER_PRI 200
 #define NWFILTER_IPV6_FILTER_PRI 400
 #define NWFILTER_ARP_FILTER_PRI  600
+#define NWFILTER_ARPMAC_FILTER_PRI 650
 #define NWFILTER_RARP_FILTER_PRI 800
 
 static const struct int_map chain_priorities[] = {
@@ -132,6 +134,7 @@ static const struct int_map chain_priori
     INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, "ipv6"),
     INTMAP_ENTRY(NWFILTER_ARP_FILTER_PRI , "arp" ),
     INTMAP_ENTRY(NWFILTER_RARP_FILTER_PRI, "rarp"),
+    INTMAP_ENTRY(NWFILTER_ARPMAC_FILTER_PRI, "arpmac"),
     INTMAP_ENTRY_LAST,
 };
 
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -431,6 +431,7 @@ enum virNWFilterChainSuffixType {
     VIR_NWFILTER_CHAINSUFFIX_RARP,
     VIR_NWFILTER_CHAINSUFFIX_IPv4,
     VIR_NWFILTER_CHAINSUFFIX_IPv6,
+    VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
 
     VIR_NWFILTER_CHAINSUFFIX_LAST,
 };

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list





