[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH V1 2/2] nwfilter: Add filtering for IP layer 4 protocols



This patch introduces a new ipl4 XML node for filtering of IP layer 4
protocols and their common layer 3 and 2 parameters.

Also extend the XML schema,  add documentation and test cases. The test cases
are also used for TCK test cases.

---
 docs/formatnwfilter.html.in                 |  184 +++++++++++++++++++++++++++-
 docs/schemas/nwfilter.rng                   |   24 +++
 src/conf/nwfilter_conf.c                    |   64 ++++++++-
 src/conf/nwfilter_conf.h                    |    9 +
 src/nwfilter/nwfilter_ebiptables_driver.c   |   39 +++++
 tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml  |   19 ++
 tests/nwfilterxml2xmlin/ipl4-test.xml       |   18 ++
 tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml |   12 +
 tests/nwfilterxml2xmlout/ipl4-test.xml      |   12 +
 tests/nwfilterxml2xmltest.c                 |    2 
 10 files changed, 372 insertions(+), 11 deletions(-)

Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -108,6 +108,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
               "ah",
               "sctp",
               "all",
+              "ipl4",
               "tcp-ipv6",
               "icmpv6",
               "udp-ipv6",
@@ -115,7 +116,8 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
               "esp-ipv6",
               "ah-ipv6",
               "sctp-ipv6",
-              "all-ipv6");
+              "all-ipv6",
+              "ipl4-ipv6");
 
 
 /*
@@ -759,8 +761,8 @@ static const struct int_map ipProtoMap[]
 static bool
 checkIPProtocolID(enum attrDatatype datatype,
                   union data *value,
-                  virNWFilterRuleDefPtr nwf,
-                  nwItemDesc *item ATTRIBUTE_UNUSED)
+                  virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
+                  nwItemDesc *item)
 {
     int32_t res = -1;
 
@@ -774,8 +776,8 @@ checkIPProtocolID(enum attrDatatype data
     }
 
     if (res != -1) {
-        nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8 = res;
-        nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype = datatype;
+        item->u.u8 = res;
+        item->datatype = datatype;
         return true;
     }
     return false;
@@ -784,21 +786,21 @@ checkIPProtocolID(enum attrDatatype data
 
 static bool
 formatIPProtocolID(virBufferPtr buf,
-                   virNWFilterRuleDefPtr nwf,
-                   nwItemDesc *item ATTRIBUTE_UNUSED)
+                   virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
+                   nwItemDesc *item)
 {
     const char *str = NULL;
     bool asHex = true;
 
     if (intMapGetByInt(ipProtoMap,
-                       nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8,
+                       item->u.u8,
                        &str) == 0) {
         virBufferAdd(buf, str, -1);
     } else {
-        if (nwf->p.ipHdrFilter.ipHdr.dataProtocolID.datatype == DATATYPE_UINT8)
+        if (item->datatype == DATATYPE_UINT8)
             asHex = false;
         virBufferAsprintf(buf, asHex ? "0x%x" : "%d",
-                          nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8);
+                          item->u.u8);
     }
     return true;
 }
@@ -1677,6 +1679,20 @@ static const virXMLAttr2Struct allAttrib
     }
 };
 
+static const virXMLAttr2Struct ipl4Attributes[] = {
+    COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK),
+    {
+        .name = "protocol",
+        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID),
+        .validator= checkIPProtocolID,
+        .formatter= formatIPProtocolID,
+    },
+    COMMENT_PROP_IPHDR(ipl4HdrFilter),
+    {
+        .name = NULL,
+    }
+};
 
 static const virXMLAttr2Struct igmpAttributes[] = {
     COMMON_IP_PROPS(igmpHdrFilter, DATATYPE_IPADDR, DATATYPE_IPMASK),
@@ -1775,6 +1791,20 @@ static const virXMLAttr2Struct allipv6At
     }
 };
 
+static const virXMLAttr2Struct ipl4ipv6Attributes[] = {
+    COMMON_IP_PROPS(ipl4HdrFilter, DATATYPE_IPV6ADDR, DATATYPE_IPV6MASK),
+    {
+        .name = "protocol",
+        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX | DATATYPE_STRING,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.ipl4HdrFilter.ipHdr.dataProtocolID),
+        .validator= checkIPProtocolID,
+        .formatter= formatIPProtocolID,
+    },
+    COMMENT_PROP_IPHDR(ipl4HdrFilter),
+    {
+        .name = NULL,
+    }
+};
 
 typedef struct _virAttributes virAttributes;
 struct _virAttributes {
@@ -1804,6 +1834,7 @@ static const virAttributes virAttr[] = {
     PROTOCOL_ENTRY("sctp"   , sctpAttributes   , VIR_NWFILTER_RULE_PROTOCOL_SCTP),
     PROTOCOL_ENTRY("icmp"   , icmpAttributes   , VIR_NWFILTER_RULE_PROTOCOL_ICMP),
     PROTOCOL_ENTRY("all"    , allAttributes    , VIR_NWFILTER_RULE_PROTOCOL_ALL),
+    PROTOCOL_ENTRY("ipl4"    , ipl4Attributes    , VIR_NWFILTER_RULE_PROTOCOL_IPL4),
     PROTOCOL_ENTRY("igmp"   , igmpAttributes   , VIR_NWFILTER_RULE_PROTOCOL_IGMP),
     PROTOCOL_ENTRY("tcp-ipv6"    , tcpipv6Attributes    , VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6),
     PROTOCOL_ENTRY("udp-ipv6"    , udpipv6Attributes    , VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6),
@@ -1813,6 +1844,7 @@ static const virAttributes virAttr[] = {
     PROTOCOL_ENTRY("sctp-ipv6"   , sctpipv6Attributes   , VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6),
     PROTOCOL_ENTRY("icmpv6"      , icmpv6Attributes     , VIR_NWFILTER_RULE_PROTOCOL_ICMPV6),
     PROTOCOL_ENTRY("all-ipv6"    , allipv6Attributes    , VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6),
+    PROTOCOL_ENTRY("ipl4-ipv6"    , ipl4ipv6Attributes    , VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6),
     PROTOCOL_ENTRY_LAST
 };
 
@@ -2313,6 +2345,18 @@ virNWFilterRuleDefFixup(virNWFilterRuleD
                       rule->p.allHdrFilter.ipHdr.dataDstIPFrom);
     break;
 
+    case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
+    case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
+        COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPMask,
+                      rule->p.ipl4HdrFilter.ipHdr.dataSrcIPAddr);
+        COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPMask,
+                      rule->p.ipl4HdrFilter.ipHdr.dataDstIPAddr);
+        COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataSrcIPTo,
+                      rule->p.ipl4HdrFilter.ipHdr.dataSrcIPFrom);
+        COPY_NEG_SIGN(rule->p.ipl4HdrFilter.ipHdr.dataDstIPTo,
+                      rule->p.ipl4HdrFilter.ipHdr.dataDstIPFrom);
+    break;
+
     case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
         COPY_NEG_SIGN(rule->p.igmpHdrFilter.ipHdr.dataSrcIPMask,
                       rule->p.igmpHdrFilter.ipHdr.dataSrcIPAddr);
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -284,6 +284,12 @@ struct _allHdrFilterDef {
     ipHdrDataDef  ipHdr;
 };
 
+typedef struct _ipl4HdrFilterDef  ipl4HdrFilterDef;
+typedef ipl4HdrFilterDef *ipl4HdrFilterDefPtr;
+struct _ipl4HdrFilterDef {
+    nwItemDesc    dataSrcMACAddr;
+    ipHdrDataDef  ipHdr;
+};
 
 typedef struct _igmpHdrFilterDef  igmpHdrFilterDef;
 typedef igmpHdrFilterDef *igmpHdrFilterDefPtr;
@@ -389,6 +395,7 @@ enum virNWFilterRuleProtocolType {
     VIR_NWFILTER_RULE_PROTOCOL_AH,
     VIR_NWFILTER_RULE_PROTOCOL_SCTP,
     VIR_NWFILTER_RULE_PROTOCOL_ALL,
+    VIR_NWFILTER_RULE_PROTOCOL_IPL4,
     VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6,
     VIR_NWFILTER_RULE_PROTOCOL_ICMPV6,
     VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6,
@@ -397,6 +404,7 @@ enum virNWFilterRuleProtocolType {
     VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6,
     VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6,
     VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6,
+    VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6,
 
     VIR_NWFILTER_RULE_PROTOCOL_LAST
 };
@@ -469,6 +477,7 @@ struct _virNWFilterRuleDef {
         espHdrFilterDef  espHdrFilter;
         ahHdrFilterDef  ahHdrFilter;
         allHdrFilterDef  allHdrFilter;
+        ipl4HdrFilterDef  ipl4HdrFilter;
         igmpHdrFilterDef igmpHdrFilter;
         sctpHdrFilterDef sctpHdrFilter;
     } p;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1633,6 +1633,43 @@ _iptablesCreateRuleInstance(int directio
 
     break;
 
+    case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
+    case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
+        virBufferAsprintf(&buf,
+                          CMD_DEF_PRE "$IPT -%%c %s %%s",
+                          chain);
+
+        if (HAS_ENTRY_ITEM(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID)) {
+            if (printDataTypeAsHex(vars,
+                                   number, sizeof(number),
+                                   &rule->p.ipl4HdrFilter.ipHdr.dataProtocolID) < 0)
+                goto err_exit;
+            virBufferAsprintf(&buf,
+                          " -p %s %s",
+                          ENTRY_GET_NEG_SIGN(&rule->p.ipl4HdrFilter.ipHdr.dataProtocolID),
+                          number);
+        }
+
+        bufUsed = virBufferUse(&buf);
+
+        if (iptablesHandleSrcMacAddr(&buf,
+                                     vars,
+                                     &rule->p.ipl4HdrFilter.dataSrcMACAddr,
+                                     directionIn,
+                                     &srcMacSkipped) < 0)
+            goto err_exit;
+
+        if (iptablesHandleIpHdr(&buf,
+                                &afterStateMatch,
+                                vars,
+                                &rule->p.ipl4HdrFilter.ipHdr,
+                                directionIn,
+                                &skipRule, &skipMatch,
+                                &prefix) < 0)
+            goto err_exit;
+
+    break;
+
     default:
         return -1;
     }
@@ -2656,6 +2693,7 @@ ebiptablesCreateRuleInstance(enum virDom
     case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
     case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
     case VIR_NWFILTER_RULE_PROTOCOL_ALL:
+    case VIR_NWFILTER_RULE_PROTOCOL_IPL4:
         isIPv6 = 0;
         rc = iptablesCreateRuleInstance(nwfilter,
                                         rule,
@@ -2673,6 +2711,7 @@ ebiptablesCreateRuleInstance(enum virDom
     case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
     case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
     case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
+    case VIR_NWFILTER_RULE_PROTOCOL_IPL4oIPV6:
         isIPv6 = 1;
         rc = iptablesCreateRuleInstance(nwfilter,
                                         rule,
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -167,6 +167,18 @@
             </optional>
             <optional>
               <zeroOrMore>
+                <element name="ipl4">
+                  <ref name="match-attribute"/>
+                  <ref name="srcmac-attribute"/>
+                  <ref name="common-ip-attributes-p1"/>
+                  <ref name="common-ip-attributes-p2"/>
+                  <ref name="ip-attributes"/>
+                  <ref name="comment-attribute"/>
+                </element>
+              </zeroOrMore>
+            </optional>
+            <optional>
+              <zeroOrMore>
                 <element name="esp">
                   <ref name="match-attribute"/>
                   <ref name="srcmac-attribute"/>
@@ -257,6 +269,18 @@
                   <ref name="comment-attribute"/>
                 </element>
               </zeroOrMore>
+            </optional>
+            <optional>
+              <zeroOrMore>
+                <element name="ipl4-ipv6">
+                  <ref name="match-attribute"/>
+                  <ref name="srcmac-attribute"/>
+                  <ref name="common-ipv6-attributes-p1"/>
+                  <ref name="common-ipv6-attributes-p2"/>
+                  <ref name="ip-attributes"/>
+                  <ref name="comment-attribute"/>
+                </element>
+              </zeroOrMore>
             </optional>
             <optional>
               <zeroOrMore>
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-ipv6-test.xml
@@ -0,0 +1,19 @@
+<filter name='testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='out'>
+     <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+                dstipaddr='a:b:c::d:e:f' dstipmask='128'
+                srcipaddr='f:e:d::c:b:a' srcipmask='127'
+                dscp='2' protocol='254'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+                srcipaddr='a:b:c::' srcipmask='128'
+                dscp='33' protocol='udp'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <ipl4-ipv6 srcmacaddr='1:2:3:4:5:6'
+                srcipaddr='::10.1.2.3' srcipmask='129'
+                dscp='33' protocol='tcp'/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipl4-test.xml
@@ -0,0 +1,18 @@
+<filter name='testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='out'>
+     <ipl4 srcmacaddr='1:2:3:4:5:6'
+           dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+           dscp='2' protocol='254'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <ipl4 srcmacaddr='1:2:3:4:5:6'
+           srcipaddr='10.1.2.3' srcipmask='22'
+           dscp='33' protocol='udp'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <ipl4 srcmacaddr='1:2:3:4:5:6'
+           srcipaddr='10.1.2.3' srcipmask='22'
+           dscp='33' protocol='tcp'/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-ipv6-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='out' priority='500'>
+    <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='f:e:d::c:b:a' srcipmask='127' dstipaddr='a:b:c::d:e:f' dstipmask='128' dscp='2' protocol='254'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='a:b:c::' srcipmask='128' dscp='33' protocol='udp'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <ipl4-ipv6 srcmacaddr='01:02:03:04:05:06' srcipaddr='::10.1.2.3' dscp='33' protocol='tcp'/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipl4-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='out' priority='500'>
+    <ipl4 srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2' protocol='254'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='22' dscp='33' protocol='udp'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <ipl4 srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='22' dscp='33' protocol='tcp'/>
+  </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmltest.c
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmltest.c
+++ libvirt-acl/tests/nwfilterxml2xmltest.c
@@ -124,6 +124,7 @@ mymain(void)
     DO_TEST("esp-test", false);
     DO_TEST("ah-test", false);
     DO_TEST("all-test", false);
+    DO_TEST("ipl4-test", false);
 
     DO_TEST("tcp-ipv6-test", true);
     DO_TEST("udp-ipv6-test", true);
@@ -133,6 +134,7 @@ mymain(void)
     DO_TEST("esp-ipv6-test", true);
     DO_TEST("ah-ipv6-test", true);
     DO_TEST("all-ipv6-test", true);
+    DO_TEST("ipl4-ipv6-test", true);
 
     DO_TEST("ref-test", false);
     DO_TEST("ref-rule-test", false);
Index: libvirt-acl/docs/formatnwfilter.html.in
===================================================================
--- libvirt-acl.orig/docs/formatnwfilter.html.in
+++ libvirt-acl/docs/formatnwfilter.html.in
@@ -1066,7 +1066,7 @@
        <tr>
          <td>protocol</td>
          <td>UINT8, STRING</td>
-         <td>Layer 4 protocol identifier</td>
+         <td>Layer 4 protocol identifier; names of the most common protocols are supported (see 1st column in /etc/protocols)</td>
        </tr>
        <tr>
          <td>srcportstart</td>
@@ -1510,6 +1510,97 @@
       <br/><br/>
     </p>
 
+    <h5><a name="nwfelemsRulesProtoIPl4">IPL4</a>
+      <span class="since">(Since 0.10.2)</span>
+    </h5>
+    <p>
+      Protocol ID: ipl4; the protocol ID is provided through the protocolid
+      attribute
+      <br/>
+      Note: The chain parameter is ignored for this type of traffic
+      and should either be omitted or set to <code>root</code>.
+    </p>
+      <table class="top_table">
+       <tr>
+         <th> Attribute </th>
+         <th> Datatype </th>
+         <th> Semantics </th>
+       </tr>
+       <tr>
+         <td>srcmacaddr</td>
+         <td>MAC_ADDR</td>
+         <td>MAC address of sender</td>
+       </tr>
+       <tr>
+         <td>protocolid</td>
+         <td>UINT8, STRING</td>
+         <td>Layer 4 protocol ID; names of the most common protocols are supported (see 1st column in /etc/protocols)</td>
+       </tr>
+       <tr>
+         <td>srcipaddr</td>
+         <td>IP_ADDR</td>
+         <td>Source IP address</td>
+       </tr>
+       <tr>
+         <td>srcipmask</td>
+         <td>IP_MASK</td>
+         <td>Mask applied to source IP address</td>
+       </tr>
+       <tr>
+         <td>dstipaddr</td>
+         <td>IP_ADDR</td>
+         <td>Destination IP address</td>
+       </tr>
+       <tr>
+         <td>dstipmask</td>
+         <td>IP_MASK</td>
+         <td>Mask applied to destination IP address</td>
+       </tr>
+       <tr>
+         <td>srcipfrom</td>
+         <td>IP_ADDR</td>
+         <td>Start of range of source IP address</td>
+       </tr>
+       <tr>
+         <td>srcipto</td>
+         <td>IP_ADDR</td>
+         <td>End of range of source IP address</td>
+       </tr>
+       <tr>
+         <td>dstipfrom</td>
+         <td>IP_ADDR</td>
+         <td>Start of range of destination IP address</td>
+       </tr>
+       <tr>
+         <td>dstipto</td>
+         <td>IP_ADDR</td>
+         <td>End of range of destination IP address</td>
+       </tr>
+       <tr>
+         <td>comment</td>
+         <td>STRING</td>
+         <td>text with max. 256 characters</td>
+       </tr>
+       <tr>
+         <td>state</td>
+         <td>STRING</td>
+         <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
+       </tr>
+       <tr>
+         <td>ipset</td>
+         <td>STRING</td>
+         <td>The name of an IPSet managed outside of libvirt</td>
+       </tr>
+       <tr>
+         <td>ipsetflags</td>
+         <td>IPSETFLAGS</td>
+         <td>flags for the IPSet; requires ipset attribute</td>
+       </tr>
+      </table>
+    <p>
+      <br/><br/>
+    </p>
+
 
     <h5><a name="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5>
     <p>
@@ -1796,6 +1887,97 @@
          <td>IPSETFLAGS</td>
          <td>flags for the IPSet; requires ipset attribute</td>
        </tr>
+      </table>
+    <p>
+      <br/><br/>
+    </p>
+
+    <h5><a name="nwfelemsRulesProtoIPl4v6">IPL4 over IPv6</a>
+      <span class="since">(Since 0.10.2)</span>
+    </h5>
+    <p>
+      Protocol ID: ipl4; the protocol ID is provided through the protocolid
+      attribute
+      <br/>
+      Note: The chain parameter is ignored for this type of traffic
+      and should either be omitted or set to <code>root</code>.
+    </p>
+      <table class="top_table">
+       <tr>
+         <th> Attribute </th>
+         <th> Datatype </th>
+         <th> Semantics </th>
+       </tr>
+       <tr>
+         <td>srcmacaddr</td>
+         <td>MAC_ADDR</td>
+         <td>MAC address of sender</td>
+       </tr>
+       <tr>
+         <td>protocolid</td>
+         <td>UINT8, STRING</td>
+         <td>Layer 4 protocol ID</td>
+       </tr>
+       <tr>
+         <td>srcipaddr</td>
+         <td>IP_ADDR</td>
+         <td>Source IP address</td>
+       </tr>
+       <tr>
+         <td>srcipmask</td>
+         <td>IP_MASK</td>
+         <td>Mask applied to source IP address</td>
+       </tr>
+       <tr>
+         <td>dstipaddr</td>
+         <td>IP_ADDR</td>
+         <td>Destination IP address</td>
+       </tr>
+       <tr>
+         <td>dstipmask</td>
+         <td>IP_MASK</td>
+         <td>Mask applied to destination IP address</td>
+       </tr>
+       <tr>
+         <td>srcipfrom</td>
+         <td>IP_ADDR</td>
+         <td>Start of range of source IP address</td>
+       </tr>
+       <tr>
+         <td>srcipto</td>
+         <td>IP_ADDR</td>
+         <td>End of range of source IP address</td>
+       </tr>
+       <tr>
+         <td>dstipfrom</td>
+         <td>IP_ADDR</td>
+         <td>Start of range of destination IP address</td>
+       </tr>
+       <tr>
+         <td>dstipto</td>
+         <td>IP_ADDR</td>
+         <td>End of range of destination IP address</td>
+       </tr>
+       <tr>
+         <td>comment</td>
+         <td>STRING</td>
+         <td>text with max. 256 characters</td>
+       </tr>
+       <tr>
+         <td>state</td>
+         <td>STRING</td>
+         <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
+       </tr>
+       <tr>
+         <td>ipset</td>
+         <td>STRING</td>
+         <td>The name of an IPSet managed outside of libvirt</td>
+       </tr>
+       <tr>
+         <td>ipsetflags</td>
+         <td>IPSETFLAGS</td>
+         <td>flags for the IPSet; requires ipset attribute</td>
+       </tr>
       </table>
     <p>
       <br/><br/>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]