[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy "DROP"



On 10/12/2011 03:50 PM, David L Stevens wrote:
	This patch simplifies the table rules by setting the protocol chains
policy to be "DROP" and removes the explicit "-j DROP" entries that the
protocol rules had previously. It also makes "no-other-rarp-traffic.xml"
obsolete.
I agree with Daniel's previous comments that this could introduce compatibility problems. It would be best not to change it or if really need be later on introduce an XML attribute for a chain that allows to choose whether the default policy is accept or drop.

 Stefan

Signed-off-by: David L Stevens<dlstevens us ibm com>
---
  examples/xml/nwfilter/Makefile.am               |    1 -
  examples/xml/nwfilter/no-arpip-spoofing.xml     |    2 --
  examples/xml/nwfilter/no-arpmac-spoofing.xml    |    2 --
  examples/xml/nwfilter/no-ip-spoofing.xml        |    2 --
  examples/xml/nwfilter/no-mac-spoofing.xml       |    2 --
  examples/xml/nwfilter/no-other-rarp-traffic.xml |    3 ---
  examples/xml/nwfilter/qemu-announce-self.xml    |    1 -
  src/nwfilter/nwfilter_ebiptables_driver.c       |   11 +----------
  8 files changed, 1 insertions(+), 23 deletions(-)
  delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml

diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 84aaa3c..67085fa 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -18,7 +18,6 @@ FILTERS = \
  	no-mac-broadcast.xml \
  	no-mac-spoofing.xml \
  	no-other-l2-traffic.xml \
-	no-other-rarp-traffic.xml \
  	qemu-announce-self.xml \
  	qemu-announce-self-rarp.xml

diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
     <rule action='return' direction='out' priority='410'>
         <arp match='yes' arpsrcipaddr='0.0.0.0' />
     </rule>
-<!-- drop everything else -->
-<rule action='drop' direction='out' priority='1000' />
  </filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
     <rule action='return' direction='out' priority='350'>
         <arp match='yes' arpsrcmacaddr='$MAC'/>
     </rule>
-<!-- drop everything else -->
-<rule action='drop' direction='out' priority='1000' />
  </filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
      <rule action='return' direction='out'>
          <ip match='yes' srcipaddr='$IP' />
      </rule>
-<!-- drop any that don't match the source IP list -->
-<rule action='drop' direction='out' />
  </filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
     <rule action='return' direction='out' priority='350'>
         <mac match='yes' srcmacaddr='$MAC'/>
     </rule>
-<!-- drop everything else -->
-<rule action='drop' direction='out' priority='1000' />
  </filter>
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..0000000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<filter name='no-other-rarp-traffic' chain='rarp'>
-<rule action='drop' direction='inout' priority='1000'/>
-</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@

      <!-- accept if it was changed to rarp -->
      <filterref filter='qemu-announce-self-rarp'/>
-<filterref filter='no-other-rarp-traffic'/>

  </filter>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 3c6fca7..e6a4880 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2791,7 +2791,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
          protostr[0] = '\0';

      virBufferAsprintf(buf,
-                      CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
+                      CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
                        CMD_EXEC
                        "%s"
                        CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
@@ -3015,15 +3015,6 @@ ebtablesApplyBasicRules(const char *ifname,

      PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
      virBufferAsprintf(&buf,
-                      CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
-                      CMD_EXEC
-                      "%s",
-
-                      ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
-                      chain, macaddr_str,
-                      CMD_STOPONERR(1));
-
-    virBufferAsprintf(&buf,
                        CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR
                        CMD_EXEC
                        "%s",


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]