David Stevens/Beaverton/IBM@IBMUS wrote on 05/09/2011 04:06:29 PM:
>
> This patch simplifies the table rules by setting the protocol
chainspolicy to
> be "DROP" and removes the explicit "-j DROP" entries that the protocol
rules
> had previously. It also makes "no-other-rarp-traffic.xml" obsolete.
>
> Signed-off-by: David L Stevens <dlstev...@us.ibm.com>
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/
> nwfilter/nwfilter_ebiptables_driver.c
> index fa6f719..dc0ad2e 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -2783,7 +2783,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
> protostr[0] = '\0';
>
> virBufferVSprintf(buf,
> - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
> + CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
> CMD_EXEC
> "%s"
> CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
So now this command puts the default policy of every ebtables chain to end
with an implicit drop. What if I had previously
created a filter assuming an implicit accept, which is the current
behavior? Now that filter wouldn't work correctly anymore
since my packets all get droped. Is this change really necessary?
Stefan
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
