This patch introduces a new ipl4 XML node for filtering of IP layer 4
protocols and their common layer 3 and 2 parameters.
Also extend the XML schema, add documentation and test cases. The test cases
are also used for TCK test cases.
---
docs/formatnwfilter.html.in | 184 +++++++++++++++++++++++++++-
docs/schemas/nwfilter.rng | 24 +++
src/conf/nwfilter_conf.c | 64 ++++++++-
src/conf/nwfilter_conf.h | 9 +
src/nwfilter/nwfilter_ebiptables_driver.c | 39 +++++
tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml | 19 ++
tests/nwfilterxml2xmlin/ipl4-test.xml | 18 ++
tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml | 12 +
tests/nwfilterxml2xmlout/ipl4-test.xml | 12 +
tests/nwfilterxml2xmltest.c | 2
10 files changed, 372 insertions(+), 11 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -108,6 +108,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
"ah",
"sctp",
"all",
+ "ipl4",
"tcp-ipv6",
"icmpv6",
"udp-ipv6",
@@ -115,7 +116,8 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
"esp-ipv6",
"ah-ipv6",
"sctp-ipv6",
- "all-ipv6");
+ "all-ipv6",
+ "ipl4-ipv6");
/*
@@ -759,8 +761,8 @@ static const struct int_map ipProtoMap[]
static bool
checkIPProtocolID(enum attrDatatype datatype,
union data *value,
- virNWFilterRuleDefPtr nwf,
- nwItemDesc *item ATTRIBUTE_UNUSED)
+ virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
+ nwItemDesc *item)
{
int32_t res = -1;
@@ -774,8 +776,8 @@ checkIPProtocolID(enum attrDatatype data
}
if (res != -1) {
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8 = res;
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype = datatype;
+ item->u.u8 = res;
+ item->datatype = datatype;
return true;
}
return false;
@@ -784,21 +786,21 @@ checkIPProtocolID(enum attrDatatype data
static bool
formatIPProtocolID(virBufferPtr buf,
- virNWFilterRuleDefPtr nwf,
- nwItemDesc *item ATTRIBUTE_UNUSED)
+ virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
+ nwItemDesc *item)
{
const char *str = NULL;
bool asHex = true;
if (intMapGetByInt(ipProtoMap,
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8,
+ item->u.u8,
&str) == 0) {
virBufferAdd(buf, str, -1);
} else {
- if (nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype == DATATYPE_UINT8)
+ if (item->datatype == DATATYPE_UINT8)
asHex = false;
virBufferAsprintf(buf, asHex ? "0x%x" : "%d",
- nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8);
+ item->u.u8);
}
return true;
}
@@ -1677,6 +1679,20 @@ static const virXMLAttr2Struct allAttrib
}
};
+static const virXMLAttr2Struct ipl4Attributes[] = {
+ COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK),
+ {
+ .name = "protocol",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID),
+ .validator= checkIPProtocolID,
+ .formatter= formatIPProtocolID,
+ },
+ COMMENT_PROP_IPHDR(ipl4HdrFilter),
+ {
+ .name = NULL,
+ }
+};
static const virXMLAttr2Struct igmpAttributes[] = {
COMMON_IP_PROPS(igmpHdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK),
@@ -1775,6 +1791,20 @@ static const virXMLAttr2Struct allipv6At
}
};
+static const virXMLAttr2Struct ipl4ipv6Attributes[] = {
+ COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPV6ADDR, DATATYPE_IPV6MASK),
+ {
+ .name = "protocol",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID),
+ .validator= checkIPProtocolID,
+ .formatter= formatIPProtocolID,
+ },
+ COMMENT_PROP_IPHDR(ipl4HdrFilter),
+ {
+ .name = NULL,
+ }
+};
typedef struct _virAttributes virAttributes;
struct _virAttributes {
@@ -1804,6 +1834,7 @@ static const virAttributes virAttr[] = {
PROTOCOL_ENTRY("sctp" , sctpAttributes , VIR_NWFILTER_RULE_PROTOCOL_SCTP),
PROTOCOL_ENTRY("icmp" , icmpAttributes , VIR_NWFILTER_RULE_PROTOCOL_ICMP),
PROTOCOL_ENTRY("all" , allAttributes , VIR_NWFILTER_RULE_PROTOCOL_ALL),
+ PROTOCOL_ENTRY("ipl4" , ipl4Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPL4),
PROTOCOL_ENTRY("igmp" , igmpAttributes , VIR_NWFILTER_RULE_PROTOCOL_IGMP),
PROTOCOL_ENTRY("tcp-ipv6" , tcpipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6),
PROTOCOL_ENTRY("udp-ipv6" , udpipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6),
@@ -1813,6 +1844,7 @@ static const virAttributes virAttr[] = {
PROTOCOL_ENTRY("sctp-ipv6" , sctpipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6),
PROTOCOL_ENTRY("icmpv6" , icmpv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_ICMPV6),
PROTOCOL_ENTRY("all-ipv6" , allipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6),
+ PROTOCOL_ENTRY("ipl4-ipv6" , ipl4ipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6),
PROTOCOL_ENTRY_LAST
};
@@ -2313,6 +2345,18 @@ virNWFilterRuleDefFixup(virNWFilterRuleD
rule->p.allHdrFilter.ipHdr.dataDstIPFrom);
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.ipl4HdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPMask,
+ rule->p.ipl4HdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.ipl4HdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPTo,
+ rule->p.ipl4HdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
COPY_NEG_SIGN(rule->p.igmpHdrFilter.ipHdr.dataSrcIPMask,
rule->p.igmpHdrFilter.ipHdr.dataSrcIPAddr);
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -284,6 +284,12 @@ struct _allHdrFilterDef {
ipHdrDataDef ipHdr;
};
+typedef struct _ipl4HdrFilterDef ipl4HdrFilterDef;
+typedef ipl4HdrFilterDef *ipl4HdrFilterDefPtr;
+struct _ipl4HdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
typedef struct _igmpHdrFilterDef igmpHdrFilterDef;
typedef igmpHdrFilterDef *igmpHdrFilterDefPtr;
@@ -389,6 +395,7 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_AH,
VIR_NWFILTER_RULE_PROTOCOL_SCTP,
VIR_NWFILTER_RULE_PROTOCOL_ALL,
+ VIR_NWFILTER_RULE_PROTOCOL_IPL4,
VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6,
VIR_NWFILTER_RULE_PROTOCOL_ICMPV6,
VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6,
@@ -397,6 +404,7 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6,
VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6,
VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6,
+ VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6,
VIR_NWFILTER_RULE_PROTOCOL_LAST
};
@@ -469,6 +477,7 @@ struct _virNWFilterRuleDef {
espHdrFilterDef espHdrFilter;
ahHdrFilterDef ahHdrFilter;
allHdrFilterDef allHdrFilter;
+ ipl4HdrFilterDef ipl4HdrFilter;
igmpHdrFilterDef igmpHdrFilter;
sctpHdrFilterDef sctpHdrFilter;
} p;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1633,6 +1633,43 @@ _iptablesCreateRuleInstance(int directio
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
+ virBufferAsprintf(&buf,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
+ chain);
+
+ if (HAS_ENTRY_ITEM(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID)) {
+ if (printDataTypeAsHex(vars,
+ number, sizeof(number),
+ &rule->p.ipl4HdrFilter.ipHdr.dataProtocolID) < 0)
+ goto err_exit;
+ virBufferAsprintf(&buf,
+ " -p %s %s",
+ ENTRY_GET_NEG_SIGN(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID),
+ number);
+ }
+
+ bufUsed = virBufferUse(&buf);
+
+ if (iptablesHandleSrcMacAddr(&buf,
+ vars,
+ &rule->p.ipl4HdrFilter.dataSrcMACAddr,
+ directionIn,
+ &srcMacSkipped) < 0)
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
+ vars,
+ &rule->p.ipl4HdrFilter.ipHdr,
+ directionIn,
+ &skipRule, &skipMatch,
+ &prefix) < 0)
+ goto err_exit;
+
+ break;
+
default:
return -1;
}
@@ -2656,6 +2693,7 @@ ebiptablesCreateRuleInstance(enum virDom
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
case VIR_NWFILTER_RULE_PROTOCOL_ALL:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
isIPv6 = 0;
rc = iptablesCreateRuleInstance(nwfilter,
rule,
@@ -2673,6 +2711,7 @@ ebiptablesCreateRuleInstance(enum virDom
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
+ case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
isIPv6 = 1;
rc = iptablesCreateRuleInstance(nwfilter,
rule,
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -167,6 +167,18 @@
</optional>
<optional>
<zeroOrMore>
+ <element name="ipl4">
+ <ref name="match-attribute"/>
+ <ref name="srcmac-attribute"/>
+ <ref name="common-ip-attributes-p1"/>
+ <ref name="common-ip-attributes-p2"/>
+ <ref name="ip-attributes"/>
+ <ref name="comment-attribute"/>
+ </element>
+ </zeroOrMore>
+ </optional>
+ <optional>
+ <zeroOrMore>
<element name="esp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
@@ -257,6 +269,18 @@
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
+ </optional>
+ <optional>
+ <zeroOrMore>
+ <element name="ipl4-ipv6">
+ <ref name="match-attribute"/>
+ <ref name="srcmac-attribute"/>
+ <ref name="common-ipv6-attributes-p1"/>
+ <ref name="common-ipv6-attributes-p2"/>
+ <ref name="ip-attributes"/>
+ <ref name="comment-attribute"/>
+ </element>
+ </zeroOrMore>
</optional>
<optional>
<zeroOrMore>
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml
@@ -0,0 +1,19 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='129'
+ dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml
@@ -0,0 +1,18 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ipl4 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ipl4 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='f:e:d::c:b:a' srcipmask='127' dstipaddr='a:b:c::d:e:f' dstipmask='128' dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='a:b:c::' srcipmask='128' dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='::10.1.2.3' dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <ipl4 srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2' protocol='254'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='22' dscp='33' protocol='udp'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='22' dscp='33' protocol='tcp'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmltest.c
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmltest.c
+++ libvirt-acl/tests/nwfilterxml2xmltest.c
@@ -124,6 +124,7 @@ mymain(void)
DO_TEST("esp-test", false);
DO_TEST("ah-test", false);
DO_TEST("all-test", false);
+ DO_TEST("ipl4-test", false);
DO_TEST("tcp-ipv6-test", true);
DO_TEST("udp-ipv6-test", true);
@@ -133,6 +134,7 @@ mymain(void)
DO_TEST("esp-ipv6-test", true);
DO_TEST("ah-ipv6-test", true);
DO_TEST("all-ipv6-test", true);
+ DO_TEST("ipl4-ipv6-test", true);
DO_TEST("ref-test", false);
DO_TEST("ref-rule-test", false);
Index: libvirt-acl/docs/formatnwfilter.html.in
===================================================================
--- libvirt-acl.orig/docs/formatnwfilter.html.in
+++ libvirt-acl/docs/formatnwfilter.html.in
@@ -1066,7 +1066,7 @@
<tr>
<td>protocol</td>
<td>UINT8, STRING</td>
- <td>Layer 4 protocol identifier</td>
+ <td>Layer 4 protocol identifier; names of the most common protocols are supported (see 1st column in /etc/protocols)</td>
</tr>
<tr>
<td>srcportstart</td>
@@ -1510,6 +1510,97 @@
<br/><br/>
</p>
+ <h5><a name="nwfelemsRulesProtoIPl4">IPL4</a>
+ <span class="since">(Since 0.10.2)</span>
+ </h5>
+ <p>
+ Protocol ID: ipl4; the protocol ID is provided through the protocolid
+ attribute
+ <br/>
+ Note: The chain parameter is ignored for this type of traffic
+ and should either be omitted or set to <code>root</code>.
+ </p>
+ <table class="top_table">
+ <tr>
+ <th> Attribute </th>
+ <th> Datatype </th>
+ <th> Semantics </th>
+ </tr>
+ <tr>
+ <td>srcmacaddr</td>
+ <td>MAC_ADDR</td>
+ <td>MAC address of sender</td>
+ </tr>
+ <tr>
+ <td>protocolid</td>
+ <td>UINT8, STRING</td>
+ <td>Layer 4 protocol ID; names of the most common protocols are supported (see 1st column in /etc/protocols)</td>
+ </tr>
+ <tr>
+ <td>srcipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to destination IP address</td>
+ </tr>
+ <tr>
+ <td>srcipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>comment</td>
+ <td>STRING</td>
+ <td>text with max. 256 characters</td>
+ </tr>
+ <tr>
+ <td>state</td>
+ <td>STRING</td>
+ <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
+ </tr>
+ <tr>
+ <td>ipset</td>
+ <td>STRING</td>
+ <td>The name of an IPSet managed outside of libvirt</td>
+ </tr>
+ <tr>
+ <td>ipsetflags</td>
+ <td>IPSETFLAGS</td>
+ <td>flags for the IPSet; requires ipset attribute</td>
+ </tr>
+ </table>
+ <p>
+ <br/><br/>
+ </p>
+
<h5><a name="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5>
<p>
@@ -1796,6 +1887,97 @@
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
+ </table>
+ <p>
+ <br/><br/>
+ </p>
+
+ <h5><a name="nwfelemsRulesProtoIPl4v6">IPL4 over IPv6</a>
+ <span class="since">(Since 0.10.2)</span>
+ </h5>
+ <p>
+ Protocol ID: ipl4; the protocol ID is provided through the protocolid
+ attribute
+ <br/>
+ Note: The chain parameter is ignored for this type of traffic
+ and should either be omitted or set to <code>root</code>.
+ </p>
+ <table class="top_table">
+ <tr>
+ <th> Attribute </th>
+ <th> Datatype </th>
+ <th> Semantics </th>
+ </tr>
+ <tr>
+ <td>srcmacaddr</td>
+ <td>MAC_ADDR</td>
+ <td>MAC address of sender</td>
+ </tr>
+ <tr>
+ <td>protocolid</td>
+ <td>UINT8, STRING</td>
+ <td>Layer 4 protocol ID</td>
+ </tr>
+ <tr>
+ <td>srcipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipaddr</td>
+ <td>IP_ADDR</td>
+ <td>Destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipmask</td>
+ <td>IP_MASK</td>
+ <td>Mask applied to destination IP address</td>
+ </tr>
+ <tr>
+ <td>srcipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>srcipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of source IP address</td>
+ </tr>
+ <tr>
+ <td>dstipfrom</td>
+ <td>IP_ADDR</td>
+ <td>Start of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>dstipto</td>
+ <td>IP_ADDR</td>
+ <td>End of range of destination IP address</td>
+ </tr>
+ <tr>
+ <td>comment</td>
+ <td>STRING</td>
+ <td>text with max. 256 characters</td>
+ </tr>
+ <tr>
+ <td>state</td>
+ <td>STRING</td>
+ <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
+ </tr>
+ <tr>
+ <td>ipset</td>
+ <td>STRING</td>
+ <td>The name of an IPSet managed outside of libvirt</td>
+ </tr>
+ <tr>
+ <td>ipsetflags</td>
+ <td>IPSETFLAGS</td>
+ <td>flags for the IPSet; requires ipset attribute</td>
+ </tr>
</table>
<p>
<br/><br/>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list