[libvirt] [libvirt PATCHv3 04/10] make default chain policy "DROP"

David L Stevens dlstevens at us.ibm.com
Wed Oct 12 19:50:15 UTC 2011


	This patch simplifies the table rules by setting the protocol chains
policy to be "DROP" and removes the explicit "-j DROP" entries that the
protocol rules had previously. It also makes "no-other-rarp-traffic.xml"
obsolete.

Signed-off-by: David L Stevens <dlstevens at us.ibm.com>
---
 examples/xml/nwfilter/Makefile.am               |    1 -
 examples/xml/nwfilter/no-arpip-spoofing.xml     |    2 --
 examples/xml/nwfilter/no-arpmac-spoofing.xml    |    2 --
 examples/xml/nwfilter/no-ip-spoofing.xml        |    2 --
 examples/xml/nwfilter/no-mac-spoofing.xml       |    2 --
 examples/xml/nwfilter/no-other-rarp-traffic.xml |    3 ---
 examples/xml/nwfilter/qemu-announce-self.xml    |    1 -
 src/nwfilter/nwfilter_ebiptables_driver.c       |   11 +----------
 8 files changed, 1 insertions(+), 23 deletions(-)
 delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml

diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 84aaa3c..67085fa 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -18,7 +18,6 @@ FILTERS = \
 	no-mac-broadcast.xml \
 	no-mac-spoofing.xml \
 	no-other-l2-traffic.xml \
-	no-other-rarp-traffic.xml \
 	qemu-announce-self.xml \
 	qemu-announce-self-rarp.xml
 
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
    <rule action='return' direction='out' priority='410' >
        <arp match='yes' arpsrcipaddr='0.0.0.0' />
    </rule>
-   <!-- drop everything else -->
-   <rule action='drop' direction='out' priority='1000' />
 </filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
    <rule action='return' direction='out' priority='350' >
        <arp match='yes' arpsrcmacaddr='$MAC'/>
    </rule>
-   <!-- drop everything else -->
-   <rule action='drop' direction='out' priority='1000' />
 </filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
     <rule action='return' direction='out'>
         <ip match='yes' srcipaddr='$IP' />
     </rule>
-    <!-- drop any that don't match the source IP list -->
-    <rule action='drop' direction='out' />
 </filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
    <rule action='return' direction='out' priority='350' >
        <mac match='yes' srcmacaddr='$MAC'/>
    </rule>
-   <!-- drop everything else -->
-   <rule action='drop' direction='out' priority='1000' />
 </filter>
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..0000000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<filter name='no-other-rarp-traffic' chain='rarp'>
-    <rule action='drop' direction='inout' priority='1000'/>
-</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@
 
     <!-- accept if it was changed to rarp -->
     <filterref filter='qemu-announce-self-rarp'/>
-    <filterref filter='no-other-rarp-traffic'/>
 
 </filter>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 3c6fca7..e6a4880 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2791,7 +2791,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
         protostr[0] = '\0';
 
     virBufferAsprintf(buf,
-                      CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
+                      CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
                       CMD_EXEC
                       "%s"
                       CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
@@ -3015,15 +3015,6 @@ ebtablesApplyBasicRules(const char *ifname,
 
     PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
     virBufferAsprintf(&buf,
-                      CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
-                      CMD_EXEC
-                      "%s",
-
-                      ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
-                      chain, macaddr_str,
-                      CMD_STOPONERR(1));
-
-    virBufferAsprintf(&buf,
                       CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR
                       CMD_EXEC
                       "%s",
-- 
1.7.6.4




More information about the libvir-list mailing list