git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Stefan Berger <stefanb@linux.vnet.ibm.com>
	Fri, 18 Nov 2011 16:58:18 +0000 (11:58 -0500)
committer	Stefan Berger <stefanb@us.ibm.com>
	Fri, 18 Nov 2011 16:58:18 +0000 (11:58 -0500)
commit	6aa99120fa202279040f94ee3174e5a22c27ddf2
tree	9d4aa1ecd4c991c8086a8390ea8680b2e4441033	tree
parent	f6e80a713f8a3029b1ea4b557db06bdad2649dc9	commit \| diff

Interleave jumping into chains with filtering rules in 'root' table

The previous patch extends the priority of filtering rules into negative
numbers. We now use this possibility to interleave the jumping into
chains with filtering rules to for example create the 'root' table of
an interface with the following sequence of rules:

Bridge chain: libvirt-I-vnet0, entries: 6, policy: ACCEPT
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arp
-p ARP -j ACCEPT
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-j DROP

The '-p ARP -j ACCEPT' rule now appears between the jumps.
Since the 'arp' chain has been assigned priority -700 and the 'rarp'
chain -600, the above ordering can now be achieved with the following
rule:

  <rule action='accept' direction='out' priority='-650'>
    <mac protocolid='arp'/>
  </rule>

This patch now sorts the commands generating the above shown jumps into
chains and interleaves their execution with those for generating rules.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>