This patch extends the filter XML to support priorities of chains
in the XML. An example would be:
filter name='allow-arpxyz' chain='arp-xyz' priority='200'
[...]
/filter
The permitted values for priorities are [-1000, 1000].
By setting the pririty of a chain the order in which it is accessed
from the interface root chain can be influenced.
Signed-off-by: Stefan Berger stef...@linux.vnet.ibm.com
---
docs/schemas/nwfilter.rng |7 ++-
src/conf/nwfilter_conf.c | 42 +-
2 files changed, 43 insertions(+), 6 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -2014,7 +2014,9 @@ virNWFilterDefParseXML(xmlXPathContextPt
xmlNodePtr curr = ctxt-node;
char *uuid = NULL;
char *chain = NULL;
+char *chain_pri_s = NULL;
virNWFilterEntryPtr entry;
+int chain_priority;
if (VIR_ALLOC(ret) 0) {
virReportOOMError();
@@ -2028,6 +2030,26 @@ virNWFilterDefParseXML(xmlXPathContextPt
goto cleanup;
}
+chain_pri_s = virXPathString(string(./@priority), ctxt);
+if (chain_pri_s) {
+if (sscanf(chain_pri_s, %d, chain_priority) != 1) {
+virNWFilterReportError(VIR_ERR_INVALID_ARG,
+ _(Could not parse chain priority '%s'),
+ chain_pri_s);
+goto cleanup;
+}
+if (chain_priority NWFILTER_MIN_FILTER_PRIORITY ||
+chain_priority NWFILTER_MAX_FILTER_PRIORITY) {
+virNWFilterReportError(VIR_ERR_INVALID_ARG,
+ _(Priority '%d' is outside valid
+ range of [%d,%d]),
+ chain_priority,
+ NWFILTER_MIN_FILTER_PRIORITY,
+ NWFILTER_MAX_FILTER_PRIORITY);
+goto cleanup;
+}
+}
+
chain = virXPathString(string(./@chain), ctxt);
if (chain) {
if (virNWFilterChainSuffixTypeFromString(chain) 0) {
@@ -2036,11 +2058,16 @@ virNWFilterDefParseXML(xmlXPathContextPt
goto cleanup;
}
ret-chainsuffix = chain;
-/* assign an implicit priority -- support XML attribute later */
-if (intMapGetByString(chain_priorities, chain, 0,
- ret-chainPriority) == false) {
-ret-chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
- NWFILTER_MIN_FILTER_PRIORITY) / 2;
+
+if (chain_pri_s) {
+ret-chainPriority = chain_priority;
+} else {
+/* assign an implicit priority -- support XML attribute later */
+if (intMapGetByString(chain_priorities, chain, 0,
+ ret-chainPriority) == false) {
+ret-chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
+ NWFILTER_MIN_FILTER_PRIORITY) / 2;
+}
}
chain = NULL;
} else {
@@ -2097,6 +2124,7 @@ virNWFilterDefParseXML(xmlXPathContextPt
}
VIR_FREE(chain);
+VIR_FREE(chain_pri_s);
return ret;
@@ -2104,6 +2132,7 @@ virNWFilterDefParseXML(xmlXPathContextPt
virNWFilterDefFree(ret);
VIR_FREE(chain);
VIR_FREE(uuid);
+VIR_FREE(chain_pri_s);
return NULL;
}
@@ -2852,6 +2881,9 @@ virNWFilterDefFormat(virNWFilterDefPtr d
virBufferAsprintf(buf, filter name='%s' chain='%s',
def-name,
def-chainsuffix);
+if (def-chainPriority != 0)
+virBufferAsprintf(buf, priority='%d',
+ def-chainPriority);
virBufferAddLit(buf, \n);
virUUIDFormat(def-uuid, uuid);
Index: libvirt-acl/docs/schemas/nwfilter.rng
===
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -293,6 +293,11 @@
/choice
/attribute
/optional
+optional
+ attribute name=priority
+ref name='priority-type'/
+ /attribute
+/optional
/define
define name=filterref-node-attributes
@@ -881,7 +886,7 @@
define name='priority-type'
data type=int
-param name=minInclusive0/param
+param name=minInclusive-1000/param
param name=maxInclusive1000/param
/data
/define
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list