[libvirt] [libvirt PATCHv3 05/10] allow chain modification
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon Oct 17 18:32:43 UTC 2011
On 10/17/2011 01:58 PM, David Stevens wrote:
> Stefan Berger<stefanb at linux.vnet.ibm.com> wrote on 10/17/2011 10:31:29
> AM:
>
>
>>> was not.
>> Yes, then I understood this correctly. See the other mails regarding the
>> problems I am seeing with it. If there was a way to figure out at what
>> position to insert a rule into an existing chain, i.e. at position 5,
>> rather than always at the end, we could use this addRules() call,
>> otherwise I find it very limiting.
> I'm not sure if I answered this already for you or not, but you
> can -- by using the priority in the rule. If we don't use the policy
> and so have to have a "-j DROP" at the end, then we'd want the original
> filter to use "-1" (if I'm remembering correctly -- 1 before end??). You
> can specify the rule be added at any point; "IP" rules would all have
> the same priority, because they originate from the same line in the
> filter,
> but you can use the priority to offset from the end or beginning, or
> any fixed point in the chain.
>
> +-DLS
>
> PS - I haven't tried using negative priorities with nwfilter, but
> ebtables/iptables supports it, at least.
The ebtables / iptables insertion of rules is based on position of the
rule relative to other existing rules and has nothing to do with
nwfilter priority which servers sorting of rules relative to each other
beyond what their occurrence in the XML provides. So the priority
doesn't map directly into the position of the rule as ebtables/iptables
needs it.
Stefan
More information about the libvir-list
mailing list