support continue/return targets in nwfilter

This patch adds support for "continue" and "return" actions in filter rules. Signed-off-by: N David L Stevens <dlstevens@us.ibm.com>

support continue/return targets in nwfilter
This patch adds support for "continue" and "return" actions in filter rules. Signed-off-by: N David L Stevens <dlstevens@us.ibm.com>
a61e9ff6 · David L Stevens · Eric Blake · e36da1bd · a61e9ff6 · a61e9ff6
Showing with 22 addition and 7 deletion

AUTHORS AUTHORS +1 -0

docs/formatnwfilter.html.in docs/formatnwfilter.html.in +13 -5

src/conf/nwfilter_conf.c src/conf/nwfilter_conf.c +6 -2

src/conf/nwfilter_conf.h src/conf/nwfilter_conf.h +2 -0

未找到文件。
--- a/AUTHORS
+++ b/AUTHORS
@@ -198,6 +198,7 @@ Patches have also been contributed by:
  Tang Chen            <tangchen@cn.fujitsu.com>
  Dan Horák            <dan@danny.cz>
  Sage Weil            <sage@newdream.net>
+  David L Stevens      <dlstevens@us.ibm.com>

  [....send patches to get your name here....]


--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -258,11 +258,19 @@
    </p>
    <ul>
     <li>
-        action -- mandatory; must either be <code>drop</code>,
-        <code>reject</code><span class="since">(since 0.9.0)</span>,
-        or <code>accept</code> if
-        the evaluation of the filtering rule is supposed to drop,
-        reject (using ICMP message), or accept a packet
+        action -- mandatory; must either be <code>drop</code>
+        (matching the rule silently discards the packet with no
+        further analysis),
+        <code>reject</code> (matching the rule generates an ICMP
+        reject message with no further analysis) <span class="since">(since
+        0.9.0)</span>, <code>accept</code> (matching the rule accepts
+        the packet with no further analysis), <code>return</code>
+        (matching the rule passes this filter, but returns control to
+        the calling filter for further
+        analysis) <span class="since">(since 0.9.7)</span>,
+        or <code>continue<code> (matching the rule goes on to the next
+        rule for further analysis) <span class="since">(since
+        0.9.7)</span>.
     </li>
     <li>
        direction -- mandatory; must either be <code>in</code>, <code>out</code> or

--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -55,12 +55,16 @@
 VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST,
              "drop",
              "accept",
-              "reject");
+              "reject",
+              "return",
+              "continue");

 VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST,
              "DROP",
              "ACCEPT",
-              "REJECT");
+              "REJECT",
+              "RETURN",
+              "CONTINUE");

 VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST,
              "in",

--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -299,6 +299,8 @@ enum virNWFilterRuleActionType {
    VIR_NWFILTER_RULE_ACTION_DROP = 0,
    VIR_NWFILTER_RULE_ACTION_ACCEPT,
    VIR_NWFILTER_RULE_ACTION_REJECT,
+    VIR_NWFILTER_RULE_ACTION_RETURN,
+    VIR_NWFILTER_RULE_ACTION_CONTINUE,

    VIR_NWFILTER_RULE_ACTION_LAST,
 };