[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter

From: Stefan Berger <stefanb us ibm com>
To: David Stevens <dlstevens us ibm com>
Cc: libvir-list redhat com
Subject: Re: [libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter
Date: Wed, 11 May 2011 15:32:41 -0400

David Stevens/Beaverton/IBM IBMUS wrote on 05/09/2011 04:06:29 PM:
> > This patch simplifies the table rules by setting the protocol chainspolicy to > be "DROP" and removes the explicit "-j DROP" entries that the protocol rules > had previously. It also makes "no-other-rarp-traffic.xml" obsolete. > > Signed-off-by: David L Stevens <dlstevens us ibm com>
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/ > nwfilter/nwfilter_ebiptables_driver.c > index fa6f719..dc0ad2e 100644 > --- a/src/nwfilter/nwfilter_ebiptables_driver.c > +++ b/src/nwfilter/nwfilter_ebiptables_driver.c > @@ -2783,7 +2783,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf, > protostr[0] = '\0'; > > virBufferVSprintf(buf, > - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR > + CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR > CMD_EXEC > "%s" > CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR

So now this command puts the default policy of every ebtables chain to end with an implicit drop. What if I had previously
created a filter assuming an implicit accept, which is the current behavior? Now that filter wouldn't work correctly anymore
since my packets all get droped. Is this change really necessary?

Stefan

References:
- [libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter
  - From: David L Stevens

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]