This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive).
[...]
<rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
[...]
I am also extending the nwfilter schema and add this attribute to a test case.
<ref name='priority-type'/>
</attribute>
</optional>
+ <optional>
+ <attribute name="statematch">
+ <ref name='statematch-type'/>
+ </attribute>
+ </optional>
</define>
<define name="match-attribute">
<param name="maxInclusive">1000</param>
</data>
</define>
+ <define name='statematch-type'>
+ <data type="string">
+ <param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param>
+ </data>
+ </define>
</grammar>
char *action;
char *direction;
char *prio;
+ char *statematch;
int found;
int found_i = 0;
unsigned int priority;
action = virXMLPropString(node, "action");
direction = virXMLPropString(node, "direction");
prio = virXMLPropString(node, "priority");
+ statematch= virXMLPropString(node, "statematch");
if (!action) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
}
}
+ if (statematch &&
+ (STREQ(statematch, "0") || STRCASEEQ(statematch, "false")))
+ ret->flags |= RULE_FLAG_NO_STATEMATCH;
+
cur = node->children;
found = 0;
VIR_FREE(prio);
VIR_FREE(action);
VIR_FREE(direction);
+ VIR_FREE(statematch);
return ret;
virNWFilterRuleDirectionTypeToString(def->tt),
def->priority);
+ if ((def->flags & RULE_FLAG_NO_STATEMATCH))
+ virBufferAddLit(&buf, " statematch='false'");
+
i = 0;
while (virAttr[i].id) {
if (virAttr[i].prtclType == def->prtclType) {
# define MAX_RULE_PRIORITY 1000
+enum virNWFilterRuleFlags {
+ RULE_FLAG_NO_STATEMATCH = (1 << 0),
+};
+
typedef struct _virNWFilterRuleDef virNWFilterRuleDef;
typedef virNWFilterRuleDef *virNWFilterRuleDefPtr;
struct _virNWFilterRuleDef {
unsigned int priority;
+ enum virNWFilterRuleFlags flags;
int action; /*enum virNWFilterRuleActionType*/
int tt; /*enum virNWFilterRuleDirectionType*/
enum virNWFilterRuleProtocolType prtclType;
needState = 0;
}
+ if ((rule->flags & RULE_FLAG_NO_STATEMATCH))
+ needState = 0;
+
chainPrefix[0] = 'F';
maySkipICMP = directionIn || inout;
dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
dscp='2'/>
</rule>
- <rule action='accept' direction='in'>
+ <rule action='accept' direction='in' statematch='false'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='33'
srcportstart='20' srcportend='21'
dstportstart='100' dstportend='1111'/>
</rule>
- <rule action='accept' direction='in'>
+ <rule action='accept' direction='in' statematch='0'>
<tcp srcmacaddr='1:2:3:4:5:6'
srcipaddr='10.1.2.3' srcipmask='32'
dscp='63'
<rule action='accept' direction='out' priority='500'>
<tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/>
</rule>
- <rule action='accept' direction='in' priority='500'>
+ <rule action='accept' direction='in' priority='500' statematch='false'>
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/>
</rule>
- <rule action='accept' direction='in' priority='500'>
+ <rule action='accept' direction='in' priority='500' statematch='false'>
<tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/>
</rule>
</filter>
projects / thirdparty / libvirt.git / commitdiff
