[libvirt] [RFC PATCHv2 4/9] make default chain policy "DROP"
David Stevens
dlstevens at us.ibm.com
Wed Oct 5 17:16:39 UTC 2011
"Daniel P. Berrange" <berrange at redhat.com> wrote on 10/05/2011 09:15:08
AM:
> What if they have created their own custom filters and written their
> filter on the assumption that the default policy was ACCEPT ? Surely
> this change will break their filter ?
If their filter has "ACCEPT" or "DROP", that will be the action
for any matching packets -- the policy only applies when there is no
match. So filters that explicitly handle the disposition of a particular
packet have no change.
The set of packets allowed from the standard filters is identical,
so additional filters that explicitly allow or deny some packets should
have no problem, and because "RETURN" and "CONTINUE" were not previously
supported before my patch to add them in this set, a subchain can't
directly rely on the default behavior of its parent chain in existing
custom filters.
Certainly it is possible that some filters would need to change,
and especially those that modify the standard chains, but support for
multiple addresses without n^2 rules requires that. Whether it is
by changing the default policy or adding "-j DROP" at the end of every
chain, exactly the same set of existing filters would break -- those that
do not explicitly dispose of matching packets via ACCEPT or DROP. I think
that is the price for supporting multiple MAC and IP addresses without
exploding the number of rules to do the matching.
+-DLS
More information about the libvir-list
mailing list