[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [libvirt PATCH] support continue/return targets in nwfilter



Eric,
        Thanks -- looks good to me.

        "return" is useful for doing multiple chains on one packet -- 
"drop" if
it isn't acceptable and "return" to do further checks in other chains for 
the
acceptable ones.
        The current fixed-set  of protocol chains are mutually exclusive 
which makes
"return" not very interesting. It'll be very useful with user-defined 
chains, a separate
MAC address chain that does protocol checks on the same packet after, or a
separate IP source address chain to do multiple address checks before 
other port
or higher protocol checks.
        Patches for at least one of these should go in soon I expect and 
that will
allow a nontrivial example for the documentation. With the current chains, 
a "return"
will just get you to a "drop" or "accept" in the caller without any 
further checks on
the same packet, so a "return" example with existing chains would be 
artificial.
        I'll do an example when one of the above use cases is in: probably 
best
to leave it at what you have now until then.

                                                +-DLS


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]