- 08 4月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds support for the evaluation of TCP flags in nwfilters. It adds documentation to the web page and extends the tests as well. Also, the nwfilter schema is extended. The following are some example for rules using the tcp flags: <rule action='accept' direction='in'> <tcp state='NONE' flags='SYN/ALL' dsptportstart='80'/> </rule> <rule action='drop' direction='in'> <tcp state='NONE' flags='SYN/ALL'/> </rule>
-
- 19 2月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds the possibility to not just drop packets, but to also have them rejected where iptables at least sends an ICMP msg back to the originator. On ebtables this again maps into dropping packets since rejecting is not supported. I am adding 'since 0.8.9' to the docs assuming this will be the next version of libvirt.
-
- 07 10月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
Extend the nwfilter.rng schema to accept state attribute.
-
- 01 10月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
Extend the nwfilter.rng schema to accept comment attributes for all protocol types.
-
- 18 6月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the iptables state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive). [...] <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...] I am also extending the nwfilter schema and add this attribute to a test case.
-
- 28 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
So far the references to other filters needed to appear before filtering rules. With the below patch they can now appear in any order. Also I forgot to add a couple of 'rarp's.
-
- 27 4月, 2010 2 次提交
-
-
由 Stefan Berger 提交于
This patch adds support for the RARP protocol. This may be needed due to qemu sending out a RARP packet (at least that's what it seems to want to do even though the protocol id is wrong) when migration finishes and we'd need a rule to let the packets pass. Unfortunately my installation of ebtables does not understand -p RARP and also seems to otherwise depend on strings in /etc/ethertype translated to protocol identifiers. Therefore I need to pass -p 0x8035 for RARP. To generally get rid of the dependency of that file I switch all so far supported protocols to use their protocol identifier in the -p parameter rather than the string. I am also extending the schema and added a test case. changes from v1 to v2: - added test case into patch
-
由 Stefan Berger 提交于
With this patch I want to enable hex number inputs in the filter XML. A number that was entered as hex is also printed as hex unless a string representing the meaning can be found. I am also extending the schema and adding a test case. A problem with the DSCP value is fixed on the way as well. Changes from V1 to V2: - using asHex boolean in all printf type of functions to select the output format in hex or decimal format
-
- 23 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
I am extending the schema with the recently added connlimit-above attribute and adding a test case for it to the test suite.
-
- 07 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
Fixing the regular expressions for variables where the first letter must be a $.
-
- 06 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds a relaxng nwfilter schema along with a test that verifies all the test output XML against the schema. The input XMLs contain a lot of intentional out-of-range values that make them fail the schema verification, so I am not verifying against those.
-