[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] [DOCS] nwfilter: Add 2nd example to the html docs

 On 10/06/2010 03:14 PM, Eric Blake wrote:
On 10/06/2010 12:56 PM, Stefan Berger wrote:

+ <h3><a name="nwfwriteexample2nd">Second example custom filter</a></h3>
+ <p>
+ In this example we now want to build a similar filter as in the
+ example above, but extend the list of requirements with an
+ ftp server located inside the VM. Further, we will be using features
+ that have been added in <span class="since">version 0.8.5</span>.
+ The requirements for this filter shall be:

s/shall be/are/

+ The 1st solution makes use of the <code>state</code> attribute of
+ the TCP protocol that gives us a hook into the connection tracking
+ framework of the Linux host. For the VM-initiated ftp data connection
+ (ftp active mode) we use the <code>RELATED</code> state that allows
+ us to detect that the VM-initated ftp data connection is a consequence of


+ ( or 'has a relationship with' ) an existing ftp control connection,
+ thus we want to allow it to let packets
+ pass the firewall. The <code>RELATED</code> state, however, is only
+ valid for the very first packet of the outgoing TCP connection for the
+ ftp data path. Afterwards, the state to compare against is
+ <code>ESTABLISHED</code>, which then applies equally
+ to the incoming and outgoing direction. All this is related to the ftp
+ data traffic origination from TCP port 20 of the VM. This then leads to


+ <p>
+ Before trying out a filter using the <code>RELATED</code> state,
+ you have to make sure that the approriate connection tracking module


Other than those nits, looks good to me.

I corrected the text and pushed it.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]