Eric,
Thanks -- looks good to me.
"return" is useful for doing multiple chains on one packet --
"drop" if
it isn't acceptable and "return" to do further checks in other chains for
the
acceptable ones.
The current fixed-set of protocol chains are mutually exclusive
which makes
"return" not very interesting. It'll be very useful with user-defined
chains, a separate
MAC address chain that does protocol checks on the same packet after, or a
separate IP source address chain to do multiple address checks before
other port
or higher protocol checks.
Patches for at least one of these should go in soon I expect and
that will
allow a nontrivial example for the documentation. With the current chains,
a "return"
will just get you to a "drop" or "accept" in the caller without any
further checks on
the same packet, so a "return" example with existing chains would be
artificial.
I'll do an example when one of the above use cases is in: probably
best
to leave it at what you have now until then.
+-DLS
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list