]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
projects / thirdparty / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: acab8a9)
nwfilter: enable rejection of packets
authorStefan Berger <stefanb@us.ibm.com>
Sat, 19 Feb 2011 01:13:40 +0000 (20:13 -0500)
committerStefan Berger <stefanb@us.ibm.com>
Sat, 19 Feb 2011 01:13:40 +0000 (20:13 -0500)
This patch adds the possibility to not just drop packets, but to also have them rejected where iptables at least sends an ICMP msg back to the originator. On ebtables this again maps into dropping packets since rejecting is not supported.

I am adding 'since 0.8.9' to the docs assuming this will be the next version of libvirt.

docs/formatnwfilter.html.in patch | blob | blame | history
docs/schemas/nwfilter.rng patch | blob | blame | history
src/conf/nwfilter_conf.c patch | blob | blame | history
src/conf/nwfilter_conf.h patch | blob | blame | history
src/nwfilter/nwfilter_ebiptables_driver.c patch | blob | blame | history

diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 6cc433b16857210141584bd612cf9596d2849d2b..31f105e671c9ef88d160ec398a2a2d9c25c6467e 100644 (file)
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -260,9 +260,11 @@
     </p>
     <ul>
      <li>
-        action -- mandatory; must either be <code>drop</code> or <code>accept</code> if
-        the evaluation of the filtering rule is supposed to drop or accept
-        a packet
+        action -- mandatory; must either be <code>drop</code>,
+        <code>reject</code><span class="since">(since 0.8.9)</span>,
+        or <code>accept</code> if
+        the evaluation of the filtering rule is supposed to drop,
+        reject (using ICMP message), or accept a packet
      </li>
      <li>
         direction -- mandatory; must either be <code>in</code>, <code>out</code> or
diff --git a/docs/schemas/nwfilter.rng b/docs/schemas/nwfilter.rng
index 5b865ced17e0639a18e58bc79a239968cfd44b25..c2625b065826ace46d3dde2768299d534b2f207c 100644 (file)
--- a/docs/schemas/nwfilter.rng
+++ b/docs/schemas/nwfilter.rng
@@ -839,6 +839,7 @@
     <choice>
       <value>drop</value>
       <value>accept</value>
+      <value>reject</value>
     </choice>
   </define>
 
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index c6a4d6f6d75a52c3f2353ea1edcb7cc94b4fee34..e5289eb7775d7b33879f1285f56b8c4f3e98870a 100644 (file)
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -53,11 +53,13 @@
 
 VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST,
               "drop",
-              "accept");
+              "accept",
+              "reject");
 
 VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST,
               "DROP",
-              "ACCEPT");
+              "ACCEPT",
+              "REJECT");
 
 VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST,
               "in",
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 34ff399b8ad86519c9b43fc8cae344294fb1a092..5db465890abbeaf9ec4d231855adaa387be1448b 100644 (file)
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -291,6 +291,7 @@ struct _udpliteHdrFilterDef {
 enum virNWFilterRuleActionType {
     VIR_NWFILTER_RULE_ACTION_DROP = 0,
     VIR_NWFILTER_RULE_ACTION_ACCEPT,
+    VIR_NWFILTER_RULE_ACTION_REJECT,
 
     VIR_NWFILTER_RULE_ACTION_LAST,
 };
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 6ec59ea706caeda8664c5420ac7d299b26f3ea85..2ec5b022a0b0c4992385ffab1c368bf2044b2c24 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1516,7 +1516,7 @@ _iptablesCreateRuleInstance(int directionIn,
     if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
         target = accept_target;
     else {
-        target = "DROP";
+        target = virNWFilterJumpTargetTypeToString(rule->action);
         skipMatch = defMatch;
     }
 
@@ -1880,6 +1880,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
          number[20];
     char chain[MAX_CHAINNAME_LENGTH];
     virBuffer buf = VIR_BUFFER_INITIALIZER;
+    const char *target;
 
     if (!ebtables_cmd_path) {
         virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -2295,10 +2296,20 @@ ebtablesCreateRuleInstance(char chainPrefix,
         return -1;
     }
 
+    switch (rule->action) {
+    case VIR_NWFILTER_RULE_ACTION_REJECT:
+        /* REJECT not supported */
+        target = virNWFilterJumpTargetTypeToString(
+                                     VIR_NWFILTER_RULE_ACTION_DROP);
+    break;
+    default:
+        target = virNWFilterJumpTargetTypeToString(rule->action);
+    }
+
     virBufferVSprintf(&buf,
                       " -j %s" CMD_DEF_POST CMD_SEPARATOR
                       CMD_EXEC,
-                      virNWFilterJumpTargetTypeToString(rule->action));
+                      target);
 
     if (virBufferError(&buf)) {
         virBufferFreeAndReset(&buf);
Mirror of https://github.com/libvirt/libvirt.git