提交 aea68ce9 编写于 作者: S Stefan Berger

nwfilter: add support for RAPR protocol

This patch adds support for the RARP protocol. This may be needed due to
qemu sending out a RARP packet (at least that's what it seems to want to
do even though the protocol id is wrong) when migration finishes and
we'd need a rule to let the packets pass.

Unfortunately my installation of ebtables does not understand -p RARP
and also seems to otherwise depend on strings in /etc/ethertype
translated to protocol identifiers. Therefore I need to pass -p 0x8035
for RARP. To generally get rid of the dependency of that file I switch
all so far supported protocols to use their protocol identifier in the
-p parameter rather than the string.

I am also extending the schema and added a test case.

changes from v1 to v2:
- added test case into patch
上级 35b61376
...@@ -37,6 +37,15 @@ ...@@ -37,6 +37,15 @@
</element> </element>
</zeroOrMore> </zeroOrMore>
</optional> </optional>
<optional>
<zeroOrMore>
<element name="rarp">
<ref name="match-attribute"/>
<ref name="common-l2-attributes"/>
<ref name="arp-attributes"/> <!-- same as arp -->
</element>
</zeroOrMore>
</optional>
<optional> <optional>
<zeroOrMore> <zeroOrMore>
<element name="ip"> <element name="ip">
......
...@@ -46,22 +46,6 @@ ...@@ -46,22 +46,6 @@
#include "domain_conf.h" #include "domain_conf.h"
/* XXX
* The config parser/structs should not be using platform specific
* constants. Win32 lacks these constants, breaking the parser,
* so temporarily define them until this can be re-written to use
* locally defined enums for all constants
*/
#ifndef ETHERTYPE_IP
# define ETHERTYPE_IP 0x0800
#endif
#ifndef ETHERTYPE_ARP
# define ETHERTYPE_ARP 0x0806
#endif
#ifndef ETHERTYPE_IPV6
# define ETHERTYPE_IPV6 0x86dd
#endif
#define VIR_FROM_THIS VIR_FROM_NWFILTER #define VIR_FROM_THIS VIR_FROM_NWFILTER
...@@ -90,6 +74,7 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_NWFILTER_EBTABLES_TABLE_LAST, ...@@ -90,6 +74,7 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_NWFILTER_EBTABLES_TABLE_LAST,
VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST, VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
"root", "root",
"arp", "arp",
"rarp",
"ipv4", "ipv4",
"ipv6"); "ipv6");
...@@ -97,6 +82,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, VIR_NWFILTER_RULE_PROTOCOL_LAST, ...@@ -97,6 +82,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, VIR_NWFILTER_RULE_PROTOCOL_LAST,
"none", "none",
"mac", "mac",
"arp", "arp",
"rarp",
"ip", "ip",
"ipv6", "ipv6",
"tcp", "tcp",
...@@ -413,10 +399,9 @@ struct _virXMLAttr2Struct ...@@ -413,10 +399,9 @@ struct _virXMLAttr2Struct
static const struct int_map macProtoMap[] = { static const struct int_map macProtoMap[] = {
INTMAP_ENTRY(ETHERTYPE_ARP , "arp"), INTMAP_ENTRY(ETHERTYPE_ARP , "arp"),
INTMAP_ENTRY(ETHERTYPE_REVARP, "rarp"),
INTMAP_ENTRY(ETHERTYPE_IP , "ipv4"), INTMAP_ENTRY(ETHERTYPE_IP , "ipv4"),
#ifdef ETHERTYPE_IPV6 INTMAP_ENTRY(ETHERTYPE_IPV6 , "ipv6"),
INTMAP_ENTRY(ETHERTYPE_IPV6, "ipv6"),
#endif
INTMAP_ENTRY_LAST INTMAP_ENTRY_LAST
}; };
...@@ -1096,6 +1081,7 @@ struct _virAttributes { ...@@ -1096,6 +1081,7 @@ struct _virAttributes {
static const virAttributes virAttr[] = { static const virAttributes virAttr[] = {
PROTOCOL_ENTRY("arp" , arpAttributes , VIR_NWFILTER_RULE_PROTOCOL_ARP), PROTOCOL_ENTRY("arp" , arpAttributes , VIR_NWFILTER_RULE_PROTOCOL_ARP),
PROTOCOL_ENTRY("rarp" , arpAttributes , VIR_NWFILTER_RULE_PROTOCOL_RARP),
PROTOCOL_ENTRY("mac" , macAttributes , VIR_NWFILTER_RULE_PROTOCOL_MAC), PROTOCOL_ENTRY("mac" , macAttributes , VIR_NWFILTER_RULE_PROTOCOL_MAC),
PROTOCOL_ENTRY("ip" , ipAttributes , VIR_NWFILTER_RULE_PROTOCOL_IP), PROTOCOL_ENTRY("ip" , ipAttributes , VIR_NWFILTER_RULE_PROTOCOL_IP),
PROTOCOL_ENTRY("ipv6" , ipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPV6), PROTOCOL_ENTRY("ipv6" , ipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPV6),
...@@ -1450,6 +1436,7 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule) ...@@ -1450,6 +1436,7 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule)
break; break;
case VIR_NWFILTER_RULE_PROTOCOL_ARP: case VIR_NWFILTER_RULE_PROTOCOL_ARP:
case VIR_NWFILTER_RULE_PROTOCOL_RARP:
case VIR_NWFILTER_RULE_PROTOCOL_NONE: case VIR_NWFILTER_RULE_PROTOCOL_NONE:
break; break;
......
...@@ -35,6 +35,24 @@ ...@@ -35,6 +35,24 @@
# include "xml.h" # include "xml.h"
# include "network.h" # include "network.h"
/* XXX
* The config parser/structs should not be using platform specific
* constants. Win32 lacks these constants, breaking the parser,
* so temporarily define them until this can be re-written to use
* locally defined enums for all constants
*/
# ifndef ETHERTYPE_IP
# define ETHERTYPE_IP 0x0800
# endif
# ifndef ETHERTYPE_ARP
# define ETHERTYPE_ARP 0x0806
# endif
# ifndef ETHERTYPE_REVARP
# define ETHERTYPE_REVARP 0x8035
# endif
# ifndef ETHERTYPE_IPV6
# define ETHERTYPE_IPV6 0x86dd
# endif
/** /**
* Chain suffix size is: * Chain suffix size is:
...@@ -292,6 +310,7 @@ enum virNWFilterRuleProtocolType { ...@@ -292,6 +310,7 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_NONE = 0, VIR_NWFILTER_RULE_PROTOCOL_NONE = 0,
VIR_NWFILTER_RULE_PROTOCOL_MAC, VIR_NWFILTER_RULE_PROTOCOL_MAC,
VIR_NWFILTER_RULE_PROTOCOL_ARP, VIR_NWFILTER_RULE_PROTOCOL_ARP,
VIR_NWFILTER_RULE_PROTOCOL_RARP,
VIR_NWFILTER_RULE_PROTOCOL_IP, VIR_NWFILTER_RULE_PROTOCOL_IP,
VIR_NWFILTER_RULE_PROTOCOL_IPV6, VIR_NWFILTER_RULE_PROTOCOL_IPV6,
VIR_NWFILTER_RULE_PROTOCOL_TCP, VIR_NWFILTER_RULE_PROTOCOL_TCP,
...@@ -336,7 +355,7 @@ struct _virNWFilterRuleDef { ...@@ -336,7 +355,7 @@ struct _virNWFilterRuleDef {
enum virNWFilterRuleProtocolType prtclType; enum virNWFilterRuleProtocolType prtclType;
union { union {
ethHdrFilterDef ethHdrFilter; ethHdrFilterDef ethHdrFilter;
arpHdrFilterDef arpHdrFilter; arpHdrFilterDef arpHdrFilter; /* also used for rarp */
ipHdrFilterDef ipHdrFilter; ipHdrFilterDef ipHdrFilter;
ipv6HdrFilterDef ipv6HdrFilter; ipv6HdrFilterDef ipv6HdrFilter;
tcpHdrFilterDef tcpHdrFilter; tcpHdrFilterDef tcpHdrFilter;
...@@ -373,6 +392,7 @@ struct _virNWFilterEntry { ...@@ -373,6 +392,7 @@ struct _virNWFilterEntry {
enum virNWFilterChainSuffixType { enum virNWFilterChainSuffixType {
VIR_NWFILTER_CHAINSUFFIX_ROOT = 0, VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
VIR_NWFILTER_CHAINSUFFIX_ARP, VIR_NWFILTER_CHAINSUFFIX_ARP,
VIR_NWFILTER_CHAINSUFFIX_RARP,
VIR_NWFILTER_CHAINSUFFIX_IPv4, VIR_NWFILTER_CHAINSUFFIX_IPv4,
VIR_NWFILTER_CHAINSUFFIX_IPv6, VIR_NWFILTER_CHAINSUFFIX_IPv6,
......
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#include "logging.h" #include "logging.h"
#include "virterror_internal.h" #include "virterror_internal.h"
#include "domain_conf.h" #include "domain_conf.h"
#include "nwfilter_conf.h"
#include "nwfilter_gentech_driver.h" #include "nwfilter_gentech_driver.h"
#include "nwfilter_ebiptables_driver.h" #include "nwfilter_ebiptables_driver.h"
...@@ -103,11 +104,28 @@ static int ebiptablesDriverInit(void); ...@@ -103,11 +104,28 @@ static int ebiptablesDriverInit(void);
static void ebiptablesDriverShutdown(void); static void ebiptablesDriverShutdown(void);
static const char *supported_protocols[] = { struct ushort_map {
"ipv4", unsigned short attr;
"ipv6", const char *val;
"arp", };
NULL,
enum l3_proto_idx {
L3_PROTO_IPV4_IDX = 0,
L3_PROTO_IPV6_IDX,
L3_PROTO_ARP_IDX,
L3_PROTO_RARP_IDX,
L3_PROTO_LAST_IDX
};
#define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT, .val = VAL }
static const struct ushort_map l3_protocols[] = {
USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP , "ipv4"),
USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6 , "ipv6"),
USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP , "arp"),
USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0 , NULL),
}; };
...@@ -1611,6 +1629,7 @@ ebtablesCreateRuleInstance(char chainPrefix, ...@@ -1611,6 +1629,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
break; break;
case VIR_NWFILTER_RULE_PROTOCOL_ARP: case VIR_NWFILTER_RULE_PROTOCOL_ARP:
case VIR_NWFILTER_RULE_PROTOCOL_RARP:
virBufferVSprintf(&buf, virBufferVSprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "%s -t %s -%%c %s %%s",
...@@ -1622,7 +1641,10 @@ ebtablesCreateRuleInstance(char chainPrefix, ...@@ -1622,7 +1641,10 @@ ebtablesCreateRuleInstance(char chainPrefix,
reverse)) reverse))
goto err_exit; goto err_exit;
virBufferAddLit(&buf, " -p arp"); virBufferVSprintf(&buf, " -p 0x%x",
(rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP)
? l3_protocols[L3_PROTO_ARP_IDX].attr
: l3_protocols[L3_PROTO_RARP_IDX].attr);
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) { if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) {
if (printDataType(vars, if (printDataType(vars,
...@@ -2036,6 +2058,7 @@ ebiptablesCreateRuleInstance(virConnectPtr conn ATTRIBUTE_UNUSED, ...@@ -2036,6 +2058,7 @@ ebiptablesCreateRuleInstance(virConnectPtr conn ATTRIBUTE_UNUSED,
case VIR_NWFILTER_RULE_PROTOCOL_IP: case VIR_NWFILTER_RULE_PROTOCOL_IP:
case VIR_NWFILTER_RULE_PROTOCOL_MAC: case VIR_NWFILTER_RULE_PROTOCOL_MAC:
case VIR_NWFILTER_RULE_PROTOCOL_ARP: case VIR_NWFILTER_RULE_PROTOCOL_ARP:
case VIR_NWFILTER_RULE_PROTOCOL_RARP:
case VIR_NWFILTER_RULE_PROTOCOL_NONE: case VIR_NWFILTER_RULE_PROTOCOL_NONE:
case VIR_NWFILTER_RULE_PROTOCOL_IPV6: case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
...@@ -2427,7 +2450,7 @@ static int ...@@ -2427,7 +2450,7 @@ static int
ebtablesCreateTmpSubChain(virBufferPtr buf, ebtablesCreateTmpSubChain(virBufferPtr buf,
int incoming, int incoming,
const char *ifname, const char *ifname,
const char *protocol, enum l3_proto_idx protoidx,
int stopOnError) int stopOnError)
{ {
char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
...@@ -2435,13 +2458,13 @@ ebtablesCreateTmpSubChain(virBufferPtr buf, ...@@ -2435,13 +2458,13 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
: CHAINPREFIX_HOST_OUT_TEMP; : CHAINPREFIX_HOST_OUT_TEMP;
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname, protocol); PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val);
virBufferVSprintf(buf, virBufferVSprintf(buf,
CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s" "%s"
CMD_DEF("%s -t %s -A %s -p %s -j %s") CMD_SEPARATOR CMD_DEF("%s -t %s -A %s -p 0x%x -j %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
...@@ -2450,7 +2473,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf, ...@@ -2450,7 +2473,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
CMD_STOPONERR(stopOnError), CMD_STOPONERR(stopOnError),
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
rootchain, protocol, chain, rootchain, l3_protocols[protoidx].attr, chain,
CMD_STOPONERR(stopOnError)); CMD_STOPONERR(stopOnError));
...@@ -2462,11 +2485,12 @@ static int ...@@ -2462,11 +2485,12 @@ static int
_ebtablesRemoveSubChain(virBufferPtr buf, _ebtablesRemoveSubChain(virBufferPtr buf,
int incoming, int incoming,
const char *ifname, const char *ifname,
const char *protocol, enum l3_proto_idx protoidx,
int isTempChain) int isTempChain)
{ {
char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
char chainPrefix; char chainPrefix;
if (isTempChain) { if (isTempChain) {
chainPrefix =(incoming) ? CHAINPREFIX_HOST_IN_TEMP chainPrefix =(incoming) ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP; : CHAINPREFIX_HOST_OUT_TEMP;
...@@ -2476,14 +2500,14 @@ _ebtablesRemoveSubChain(virBufferPtr buf, ...@@ -2476,14 +2500,14 @@ _ebtablesRemoveSubChain(virBufferPtr buf,
} }
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname, protocol); PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val);
virBufferVSprintf(buf, virBufferVSprintf(buf,
"%s -t %s -D %s -p %s -j %s" CMD_SEPARATOR "%s -t %s -D %s -p 0x%x -j %s" CMD_SEPARATOR
"%s -t %s -F %s" CMD_SEPARATOR "%s -t %s -F %s" CMD_SEPARATOR
"%s -t %s -X %s" CMD_SEPARATOR, "%s -t %s -X %s" CMD_SEPARATOR,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
rootchain, protocol, chain, rootchain, l3_protocols[protoidx].attr, chain,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain,
...@@ -2497,10 +2521,10 @@ static int ...@@ -2497,10 +2521,10 @@ static int
ebtablesRemoveSubChain(virBufferPtr buf, ebtablesRemoveSubChain(virBufferPtr buf,
int incoming, int incoming,
const char *ifname, const char *ifname,
const char *protocol) enum l3_proto_idx protoidx)
{ {
return _ebtablesRemoveSubChain(buf, return _ebtablesRemoveSubChain(buf,
incoming, ifname, protocol, 0); incoming, ifname, protoidx, 0);
} }
...@@ -2508,10 +2532,11 @@ static int ...@@ -2508,10 +2532,11 @@ static int
ebtablesRemoveSubChains(virBufferPtr buf, ebtablesRemoveSubChains(virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
int i; enum l3_proto_idx i;
for (i = 0; supported_protocols[i]; i++) {
ebtablesRemoveSubChain(buf, 1, ifname, supported_protocols[i]); for (i = 0; i < L3_PROTO_LAST_IDX; i++) {
ebtablesRemoveSubChain(buf, 0, ifname, supported_protocols[i]); ebtablesRemoveSubChain(buf, 1, ifname, i);
ebtablesRemoveSubChain(buf, 0, ifname, i);
} }
return 0; return 0;
...@@ -2522,10 +2547,10 @@ static int ...@@ -2522,10 +2547,10 @@ static int
ebtablesRemoveTmpSubChain(virBufferPtr buf, ebtablesRemoveTmpSubChain(virBufferPtr buf,
int incoming, int incoming,
const char *ifname, const char *ifname,
const char *protocol) enum l3_proto_idx protoidx)
{ {
return _ebtablesRemoveSubChain(buf, return _ebtablesRemoveSubChain(buf,
incoming, ifname, protocol, 1); incoming, ifname, protoidx, 1);
} }
...@@ -2533,12 +2558,11 @@ static int ...@@ -2533,12 +2558,11 @@ static int
ebtablesRemoveTmpSubChains(virBufferPtr buf, ebtablesRemoveTmpSubChains(virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
int i; enum l3_proto_idx i;
for (i = 0; supported_protocols[i]; i++) {
ebtablesRemoveTmpSubChain(buf, 1, ifname, for (i = 0; i < L3_PROTO_LAST_IDX; i++) {
supported_protocols[i]); ebtablesRemoveTmpSubChain(buf, 1, ifname, i);
ebtablesRemoveTmpSubChain(buf, 0, ifname, ebtablesRemoveTmpSubChain(buf, 0, ifname, i);
supported_protocols[i]);
} }
return 0; return 0;
...@@ -2576,12 +2600,11 @@ static int ...@@ -2576,12 +2600,11 @@ static int
ebtablesRenameTmpSubChains(virBufferPtr buf, ebtablesRenameTmpSubChains(virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
int i; enum l3_proto_idx i;
for (i = 0; supported_protocols[i]; i++) {
ebtablesRenameTmpSubChain (buf, 1, ifname, for (i = 0; i < L3_PROTO_LAST_IDX; i++) {
supported_protocols[i]); ebtablesRenameTmpSubChain (buf, 1, ifname, l3_protocols[i].val);
ebtablesRenameTmpSubChain (buf, 0, ifname, ebtablesRenameTmpSubChain (buf, 0, ifname, l3_protocols[i].val);
supported_protocols[i]);
} }
return 0; return 0;
...@@ -2911,20 +2934,24 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED, ...@@ -2911,20 +2934,24 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); ebtablesCreateTmpRootChain(&buf, 0, ifname, 1);
if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4)) if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4))
ebtablesCreateTmpSubChain(&buf, 1, ifname, "ipv4", 1); ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_IPV4_IDX, 1);
if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4)) if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4))
ebtablesCreateTmpSubChain(&buf, 0, ifname, "ipv4", 1); ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_IPV4_IDX, 1);
if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6)) if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6))
ebtablesCreateTmpSubChain(&buf, 1, ifname, "ipv6", 1); ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_IPV6_IDX, 1);
if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6)) if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6))
ebtablesCreateTmpSubChain(&buf, 0, ifname, "ipv6", 1); ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_IPV6_IDX, 1);
// keep arp as last // keep arp,rarp as last
if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP)) if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP))
ebtablesCreateTmpSubChain(&buf, 1, ifname, "arp", 1); ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_ARP_IDX, 1);
if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP)) if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP))
ebtablesCreateTmpSubChain(&buf, 0, ifname, "arp", 1); ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_ARP_IDX, 1);
if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP))
ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_RARP_IDX, 1);
if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP))
ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_RARP_IDX, 1);
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpebchains; goto tear_down_tmpebchains;
......
<filter name='testcase'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
protocolid='rarp'
dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
hwtype='12'
protocoltype='34'
opcode='Request'
arpsrcmacaddr='1:2:3:4:5:6'
arpdstmacaddr='a:b:c:d:e:f'/>
</rule>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='1' hwtype='255' protocoltype='255'/>
</rule>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='11' hwtype='256' protocoltype='256'/>
</rule>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='65535' hwtype='65535' protocoltype='65535' />
</rule>
<rule action='accept' direction='out'>
<rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='65536' hwtype='65536' protocoltype='65536' />
</rule>
</filter>
<filter name='testcase' chain='root'>
<uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
<rule action='accept' direction='out' priority='500'>
<rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' hwtype='12' protocoltype='34' opcode='Request' arpsrcmacaddr='01:02:03:04:05:06' arpdstmacaddr='0a:0b:0c:0d:0e:0f'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='255' protocoltype='255' opcode='Request'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='256' protocoltype='256' opcode='11'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='65535' protocoltype='65535' opcode='65535'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff'/>
</rule>
</filter>
...@@ -90,6 +90,7 @@ mymain(int argc, char **argv) ...@@ -90,6 +90,7 @@ mymain(int argc, char **argv)
DO_TEST("mac-test"); DO_TEST("mac-test");
DO_TEST("arp-test"); DO_TEST("arp-test");
DO_TEST("rarp-test");
DO_TEST("ip-test"); DO_TEST("ip-test");
DO_TEST("ipv6-test"); DO_TEST("ipv6-test");
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
新手
引导
客服 返回
顶部