[libvirt] [PATCH V2 00/10] Make inner workings of nwfilters more flexible + extensions

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Oct 19 19:25:27 UTC 2011 

On 10/19/2011 03:02 PM, David Stevens wrote:
> Stefan,
>              Can't you achieve the same thing by reserving an early block
> of priorities (and a late one, for system stuff that should be done late)?
The problem is that at the moment rules (in the 'root' table) can have 
priorities [0, 1000]. So nothing prevents one to write a rule with 
priority 0. However, due to how nwfilters works right now the jumps into 
the protocol-specific tables will always be created *before* those 
rules. I am trying to address this now with assigning negative numbers 
to the chains to achieve the same sorting and maintain backwards 
compatibility.

>              If you use negative numbers, then you lose the capability of
> ever extending priorities to interpret the negative number as "from 
> the end"
> as done in ebtables/iptables line numbers. I think that is more 
> useful, and
> having to do that outside of priorities would mean extra parsing and 
> encoding
> to get that effect.
There is no relation between priorities and the ordering parameter to 
the ebtables / iptables commands. The priorities were introduced so that 
more complex filters can be built by composing them of individual 
filters and yet have their filtering rules be created in the 'proper' 
order that goes beyond of how they are reference through filter 
references inside the filters and their appearance in the XML.
I don't see how this could be changed, but I'd be curious to see 'how'.

>              I also think that nwfilters ought to reflect the 
> underlying filter
> mechanisms as much as possible. Really, I'd prefer they were simply
> parameterized shell scripts of ebtables/iptables commands run at 
> significant
> events (start-up, shutdown, migrate) instead of XML-encoded things. Then
> the full feature sets of ebtables/iptables would be available "for 
> free", instead
> of requiring libvirt patches to, e.g., add "return/continue" or 
> multiple chains.
If you want to design another filtering subsytem for libvirt, please go 
ahead. mwfilters currently works with XML and I don't see we can change 
that so easily.
>              Barring that, at least I think what nwfilters provides 
> should be a close
> map to ebtables/iptables capabilities. Mapping line numbers into a 
> wide range
It was not intended to be a 1:1 mapping but allow portability to other 
system. Of course, the lack of similar functionality on other system may 
be quite a bit of work to overcome first.
> of priorities is straightforward, but if you use negative numbers in 
> an ordinary
> sort, you can no longer use the sign as ebtables/iptables does. Because
> you've limited the range, you could do something hacky with offsets 
> (anything
> below "-1000" is "from the end" or some such), but that's arcane.
Right, 'arcane'...
>             Using priorities in multiple places is very like 
> programming in basic
> and what both ebtables/iptables and nwfilters could use better I think 
> would
> be the capability to label rules by name and reference the label to 
> identify the
> rule location. Then you might, e.g., add a rule at "myrules + 5" and 
> don't care
> what particular priority/line number "myrules" is.
You have patches for that?

>
>                                                                                
> +-DLS
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20111019/fcac746b/attachment-0001.htm>

More information about the libvir-list mailing list