[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter



David Stevens/Beaverton/IBM IBMUS wrote on 05/09/2011 04:06:29 PM:

>
> This patch simplifies the table rules by setting the protocol chainspolicy to
> be "DROP" and removes the explicit "-j DROP" entries that the protocol rules
> had previously. It also makes "no-other-rarp-traffic.xml" obsolete.
>
> Signed-off-by: David L Stevens <dlstevens us ibm com>


> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/
> nwfilter/nwfilter_ebiptables_driver.c
> index fa6f719..dc0ad2e 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -2783,7 +2783,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
>          protostr[0] = '\0';
>  
>      virBufferVSprintf(buf,
> -                      CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
> +                      CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
>                        CMD_EXEC
>                        "%s"
>                        CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR



So now this command puts the default policy of every ebtables chain to end with an implicit drop. What if I had previously
created a filter assuming an implicit accept, which is the current behavior? Now that filter wouldn't work correctly anymore
since my packets all get droped. Is this change really necessary?

   Stefan

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]