From 51d3fb02768bb10fbba70e9c4466456c0488ced6 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 17 Jun 2010 14:12:34 -0400 Subject: [PATCH] nwfilter: add XML attribute to control iptables state match This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive). [...] [...] I am also extending the nwfilter schema and add this attribute to a test case. --- docs/schemas/nwfilter.rng | 10 ++++++++++ src/conf/nwfilter_conf.c | 10 ++++++++++ src/conf/nwfilter_conf.h | 5 +++++ src/nwfilter/nwfilter_ebiptables_driver.c | 3 +++ tests/nwfilterxml2xmlin/tcp-test.xml | 4 ++-- tests/nwfilterxml2xmlout/tcp-test.xml | 4 ++-- 6 files changed, 32 insertions(+), 4 deletions(-) diff --git a/docs/schemas/nwfilter.rng b/docs/schemas/nwfilter.rng index e8be9fce17..262e420106 100644 --- a/docs/schemas/nwfilter.rng +++ b/docs/schemas/nwfilter.rng @@ -299,6 +299,11 @@ + + + + + @@ -816,4 +821,9 @@ 1000 + + + ([Ff][Aa][Ll][Ss][Ee]|0) + + diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index fc6d4617bd..fd3d805077 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node) char *action; char *direction; char *prio; + char *statematch; int found; int found_i = 0; unsigned int priority; @@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node) action = virXMLPropString(node, "action"); direction = virXMLPropString(node, "direction"); prio = virXMLPropString(node, "priority"); + statematch= virXMLPropString(node, "statematch"); if (!action) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -1633,6 +1635,10 @@ virNWFilterRuleParse(xmlNodePtr node) } } + if (statematch && + (STREQ(statematch, "0") || STRCASEEQ(statematch, "false"))) + ret->flags |= RULE_FLAG_NO_STATEMATCH; + cur = node->children; found = 0; @@ -1677,6 +1683,7 @@ cleanup: VIR_FREE(prio); VIR_FREE(action); VIR_FREE(direction); + VIR_FREE(statematch); return ret; @@ -2532,6 +2539,9 @@ virNWFilterRuleDefFormat(virNWFilterRuleDefPtr def) virNWFilterRuleDirectionTypeToString(def->tt), def->priority); + if ((def->flags & RULE_FLAG_NO_STATEMATCH)) + virBufferAddLit(&buf, " statematch='false'"); + i = 0; while (virAttr[i].id) { if (virAttr[i].prtclType == def->prtclType) { diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index b7b62adc33..99ef1d448d 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType { # define MAX_RULE_PRIORITY 1000 +enum virNWFilterRuleFlags { + RULE_FLAG_NO_STATEMATCH = (1 << 0), +}; + typedef struct _virNWFilterRuleDef virNWFilterRuleDef; typedef virNWFilterRuleDef *virNWFilterRuleDefPtr; struct _virNWFilterRuleDef { unsigned int priority; + enum virNWFilterRuleFlags flags; int action; /*enum virNWFilterRuleActionType*/ int tt; /*enum virNWFilterRuleDirectionType*/ enum virNWFilterRuleProtocolType prtclType; diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 2fa78d065b..fcd6c8c122 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, needState = 0; } + if ((rule->flags & RULE_FLAG_NO_STATEMATCH)) + needState = 0; + chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; diff --git a/tests/nwfilterxml2xmlin/tcp-test.xml b/tests/nwfilterxml2xmlin/tcp-test.xml index e3111e89e4..3fe5299fb4 100644 --- a/tests/nwfilterxml2xmlin/tcp-test.xml +++ b/tests/nwfilterxml2xmlin/tcp-test.xml @@ -5,14 +5,14 @@ dstipaddr='10.1.2.3' dstipmask='255.255.255.255' dscp='2'/> - + - + - + - + -- GitLab