On 10/17/2011 01:58 PM, David Stevens wrote:
Stefan Berger<stefanb@xxxxxxxxxxxxxxxxxx> wrote on 10/17/2011 10:31:29
AM:
was not.
Yes, then I understood this correctly. See the other mails regarding the
problems I am seeing with it. If there was a way to figure out at what
position to insert a rule into an existing chain, i.e. at position 5,
rather than always at the end, we could use this addRules() call,
otherwise I find it very limiting.
I'm not sure if I answered this already for you or not, but you
can -- by using the priority in the rule. If we don't use the policy
and so have to have a "-j DROP" at the end, then we'd want the original
filter to use "-1" (if I'm remembering correctly -- 1 before end??). You
can specify the rule be added at any point; "IP" rules would all have
the same priority, because they originate from the same line in the
filter,
but you can use the priority to offset from the end or beginning, or
any fixed point in the chain.
+-DLS
PS - I haven't tried using negative priorities with nwfilter, but
ebtables/iptables supports it, at least.
The ebtables / iptables insertion of rules is based on position of the
rule relative to other existing rules and has nothing to do with
nwfilter priority which servers sorting of rules relative to each other
beyond what their occurrence in the XML provides. So the priority
doesn't map directly into the position of the rule as ebtables/iptables
needs it.
Stefan
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list