[libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter
Stefan Berger
stefanb at us.ibm.com
Wed May 11 19:32:41 UTC 2011
David Stevens/Beaverton/IBM at IBMUS wrote on 05/09/2011 04:06:29 PM:
>
> This patch simplifies the table rules by setting the protocol
chainspolicy to
> be "DROP" and removes the explicit "-j DROP" entries that the protocol
rules
> had previously. It also makes "no-other-rarp-traffic.xml" obsolete.
>
> Signed-off-by: David L Stevens <dlstevens at us.ibm.com>
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/
> nwfilter/nwfilter_ebiptables_driver.c
> index fa6f719..dc0ad2e 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -2783,7 +2783,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
> protostr[0] = '\0';
>
> virBufferVSprintf(buf,
> - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
> + CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
> CMD_EXEC
> "%s"
> CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
So now this command puts the default policy of every ebtables chain to end
with an implicit drop. What if I had previously
created a filter assuming an implicit accept, which is the current
behavior? Now that filter wouldn't work correctly anymore
since my packets all get droped. Is this change really necessary?
Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110511/60d7f63c/attachment-0001.htm>
More information about the libvir-list
mailing list