Re: [PATCH] nwfilter: fix typing error in filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/11/2012 02:57 PM, Eric Blake wrote:

On 01/11/2012 12:42 PM, Stefan Berger wrote:

Fix a typing error in the no-ip-spoofing filter.
Return DHCP request packets passing through this filter. Have
the user use another filter to actually allow DHCP requests to be
sent (action='accept').

---
  examples/xml/nwfilter/no-ip-spoofing.xml |    6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml
+++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -1,7 +1,7 @@
<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
-<!-- allow DHCP requests -->
-<rule action='accept' direction='out' priority='100'>
-<ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68'
srcportend='68'/>
+<!-- allow DHCP requests sent from 0.0.0.0 -->
+<rule action='return' direction='out' priority='100'>

I see how the action='accept' vs. action='return' makes a difference
here, if the user has other rules after calling this filter that they
still want to use.


Right, that's the intention.


+<ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68'
dstportstart='67'/>

but I'm a bit lost as to why srcportend='68' needs to be changed to
dstportstart='67'.  Assuming you can explain this change, then


DHCP requests are sent from port 68 on the client to port 67 on the server.


ACK.


Will push later today but will need to update TCK as well.



Meanwhile, this file under examples/ differs from the text in
formatnwfilter.html.in which also defines a filter named no-ip-spoofing;
is that a discrepancy where the docs should be updated to accurately
describe what is our best state-of-the-art in the examples, or is it
something where we should just mention in the docs that the docs are
shorter versions for discussion, and to see examples/ for a more
complete version.  But fixing that can be a separate patch.


I'll look into that...

   Stefan

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]