[libvirt] [PATCH] nwfilter: extensions of docs with advanced filtering topics

Eric Blake eblake at redhat.com
Fri Jun 18 15:45:21 UTC 2010 

On 06/17/2010 06:10 PM, Stefan Berger wrote:
> As requested, here a couple of paragraphs about the recently added
> statematch attribute and some advanced (and tricky) traffic filtering
> topics.
> 
> Signed-off-by: Stefan Berger <stefanb at us.ibm.com>
> 
> ---
>  docs/formatnwfilter.html.in |  117

> +     a VM. As an example, if a VM has TCP port 8080
> +     open, clients may connect to it on port 8080. The tracking of the
> +     connection then prevents the client from initiating a connection from
> +     (TCP client) port 8080 to the host back (after previously having

That came across awkwardly to me.  How about:

As an example, if a VM has TCP port 8080 open asa server, clients may
connect to the VM on port 8080.  The tracking of the connection then
prevents the VM from initiating a connection from (TCP client) port 8080
back to a remote host that has previously gained access to the VM.

(Am I understanding your intent here?)

> +     gained access to the VM). More importantly, tracking helps to prevent
> +     remote attackers to establish a connection back to a VM for example
> +     if the user inside the VM has established a connection to
> +     port 80 on an attacker site, then the attacker won't be able to
> +     initiate a connection from TCP port 80 towards the VM.

Again, awkward wording:

More importantly, tracking helps to prevent remote attackers from
establishing a connection back to a VM.  For example, if a user inside
the VM established a connection to port 80 on an attacker site, then the
attacker won't be able to initiate a connection from TCP port 80 back
towards the VM.

> +      packets are exchanged. However, a newly initated connection may
> force

s/initated/initiated/

> +      an idle connection into TCP backoff if the number of allowed
> connections
> +      is set to a too low limit, the new connection is established
> +      and hits (not exceeds) the limit of allowed connections and for
> +      example a key is pressed on the old ssh session, which now has
> become
> +      unresponsive due to traffic being dropped.
> +      Therefore, the limit of connections should be rather high so that
> +      fluctuations in new TCP connections don't cause odd
> +      traffic behavior in relaton to idle connections.

s/relaton/relation/

But overall, it looks like a good patch, so ACK with those nits addressed.

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100618/d9c40d17/attachment-0001.sig>

More information about the libvir-list mailing list