subject:"\[libvirt\] \[libvirt PATCHv3 04\/10\] make default chain policy \"DROP\""

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

2011-10-17 Thread Stefan Berger


On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch simplifies the table rules by setting the protocol chains
policy to be DROP and removes the explicit -j DROP entries that the
protocol rules had previously. It also makes no-other-rarp-traffic.xml
obsolete.
I agree with Daniel's previous comments that this could introduce 
compatibility problems. It would be best not to change it or if really 
need be later on introduce an XML attribute for a chain that allows to 
choose whether the default policy is accept or drop.


 Stefan


Signed-off-by: David L Stevensdlstev...@us.ibm.com
---
  examples/xml/nwfilter/Makefile.am   |1 -
  examples/xml/nwfilter/no-arpip-spoofing.xml |2 --
  examples/xml/nwfilter/no-arpmac-spoofing.xml|2 --
  examples/xml/nwfilter/no-ip-spoofing.xml|2 --
  examples/xml/nwfilter/no-mac-spoofing.xml   |2 --
  examples/xml/nwfilter/no-other-rarp-traffic.xml |3 ---
  examples/xml/nwfilter/qemu-announce-self.xml|1 -
  src/nwfilter/nwfilter_ebiptables_driver.c   |   11 +--
  8 files changed, 1 insertions(+), 23 deletions(-)
  delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml

diff --git a/examples/xml/nwfilter/Makefile.am 
b/examples/xml/nwfilter/Makefile.am
index 84aaa3c..67085fa 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -18,7 +18,6 @@ FILTERS = \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
no-other-l2-traffic.xml \
-   no-other-rarp-traffic.xml \
qemu-announce-self.xml \
qemu-announce-self-rarp.xml

diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml 
b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
 rule action='return' direction='out' priority='410'
 arp match='yes' arpsrcipaddr='0.0.0.0' /
 /rule
-!-- drop everything else --
-rule action='drop' direction='out' priority='1000' /
  /filter
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml 
b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
 rule action='return' direction='out' priority='350'
 arp match='yes' arpsrcmacaddr='$MAC'/
 /rule
-!-- drop everything else --
-rule action='drop' direction='out' priority='1000' /
  /filter
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml 
b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
  rule action='return' direction='out'
  ip match='yes' srcipaddr='$IP' /
  /rule
-!-- drop any that don't match the source IP list --
-rule action='drop' direction='out' /
  /filter
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml 
b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
 rule action='return' direction='out' priority='350'
 mac match='yes' srcmacaddr='$MAC'/
 /rule
-!-- drop everything else --
-rule action='drop' direction='out' priority='1000' /
  /filter
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml 
b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-filter name='no-other-rarp-traffic' chain='rarp'
-rule action='drop' direction='inout' priority='1000'/
-/filter
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml 
b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@

  !-- accept if it was changed to rarp --
  filterref filter='qemu-announce-self-rarp'/
-filterref filter='no-other-rarp-traffic'/

  /filter
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c 
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 3c6fca7..e6a4880 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2791,7 +2791,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
  protostr[0] = '\0';

  virBufferAsprintf(buf,
-  CMD_DEF(%s -t %s -N %s) CMD_SEPARATOR
+  CMD_DEF(%s -t %s -N %s -P DROP) CMD_SEPARATOR
CMD_EXEC
%s
CMD_DEF(%s -t %s -A %s %s -j %s) CMD_SEPARATOR
@@ -3015,15 +3015,6 @@ ebtablesApplyBasicRules(const char *ifname,

  PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
  virBufferAsprintf(buf,
-

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

2011-10-17 Thread David Stevens

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/17/2011 08:50:14 
AM:


 I agree with Daniel's previous comments that this could introduce 
 compatibility problems. It would be best not to change it or if really 
 need be later on introduce an XML attribute for a chain that allows to 
 choose whether the default policy is accept or drop.

This is not a functional change. With the multiple address
support, literally all of the chains in question end with -j DROP.
By changing the default policy to DROP, it removes the requirement
to have the -j DROP  _at_the_end_, which makes appending new rules
without reference to a priority easier.
I think the real sticking point here is whether we consider
the existing standard chains as immutable. If, for compatibility's sake,
we keep address matching as:

if ($IP != ADDRESS) DROP
ACCEPT

then we cannot support multiple IP addresses. If we change this to:

if ($IP == ADDRESS1) RETURN
if ($IP == ADDRESS2) RETURN
...
DROP

all of the standard chains end in -j DROP and making the policy
be DROP expresses exactly the same thing with one less rule per chain.
This also allows appending more allowed addresses without using a
priority to ensure that -j DROP is last.
Any customization to the old filters that do DROP or ACCEPT
will still work and RETURN and CONTINUE were not supported before,
so the default, whether done by -j DROP/ACCEPT or the policy, don't
matter-- the custom rule will behave as it does now. It's just that
that DROP/ACCEPT will bypass subsequent checks that are now possible
if doing RETURN/CONTINUE instead.
But, of course, *any* change to the standard filters requires
a review of custom filters that link into them or modify them.

I think maintaining this level of compatibility simply means
we cannot support multiple addresses. Doing that obviously requires
changing the existing address matching filters, which therefore can't
be linked in in identically the same way. However, I think any
existing customization is trivial to apply after, too. Perhaps an
example filter that causes a problem?

+-DLS



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

2011-10-17 Thread Stefan Berger


On 10/17/2011 01:04 PM, David Stevens wrote:

Stefan Bergerstef...@linux.vnet.ibm.com  wrote on 10/17/2011 08:50:14
AM:



I agree with Daniel's previous comments that this could introduce
compatibility problems. It would be best not to change it or if really
need be later on introduce an XML attribute for a chain that allows to
choose whether the default policy is accept or drop.

 This is not a functional change. With the multiple address
support, literally all of the chains in question end with -j DROP.
By changing the default policy to DROP, it removes the requirement
to have the -j DROP  _at_the_end_, which makes appending new rules
without reference to a priority easier.
Yes, '_at_the_end_', that's what I thought. I am not sure whether this 
particular requirement is the best way to proceed since obviously you 
cannot have any other rules with lesser priority after the ones doing 
the 'return' -- whatever those rules may be doing. The alternative would 
be having to instantiate the whole filter chain in the same way as the 
IP address learning thread does with the 'late' filter instantiation 
call -- that would at least get all the priorities correct and not 
introduce a requirement on how one has to write a filter.



 I think the real sticking point here is whether we consider
the existing standard chains as immutable. If, for compatibility's sake,
I don't consider them as immutable but should be replaced with something 
of the same or 'better' functionality.

we keep address matching as:
 if ($IP != ADDRESS) DROP
 ACCEPT

then we cannot support multiple IP addresses. If we change this to:

 if ($IP == ADDRESS1) RETURN
 if ($IP == ADDRESS2) RETURN
 ...
 DROP

all of the standard chains end in -j DROP and making the policy
be DROP expresses exactly the same thing with one less rule per chain.
This also allows appending more allowed addresses without using a
priority to ensure that -j DROP is last.
Yes, I understand that but I don't necessarily like the implications of 
this.



 Any customization to the old filters that do DROP or ACCEPT
will still work and RETURN and CONTINUE were not supported before,
so the default, whether done by -j DROP/ACCEPT or the policy, don't
matter-- the custom rule will behave as it does now. It's just that
that DROP/ACCEPT will bypass subsequent checks that are now possible
if doing RETURN/CONTINUE instead.
 But, of course, *any* change to the standard filters requires
a review of custom filters that link into them or modify them.

 I think maintaining this level of compatibility simply means
we cannot support multiple addresses. Doing that obviously requires
changing the existing address matching filters, which therefore can't
be linked in in identically the same way. However, I think any
existing customization is trivial to apply after, too. Perhaps an
example filter that causes a problem?
I don't have an example filter myself, but I don't know what other 
people may have written.


An alternative would be to say that the existing filters work with the 
IP address learning thread and we would need to introduce new filters 
for support of multiple IP addresses. Yes, the current filters aren't 
prepare for supporting multiple IP addresses per interface.
I don't think replacing the existing filters would be a problem per-se, 
but I don't like that the priority of the rules doing the 'RETURN' is 
assumed to be the lowest in the chain and we can just append anything to 
the end of the chain -- the filters we are writing are just examples and 
someone may come up with a few rules that do something with packets that 
were not RETURN'ed and thus needs to have rules executing behind those. 
Again, maybe (the less efficient but more generic way of) instantiating 
the filters by calling the virNWFilterInstantiateFilterLate() could 
solve part of the problem.



Stefan

 +-DLS





--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

2011-10-17 Thread David Stevens

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/17/2011 10:29:08 
AM:

 Yes, '_at_the_end_', that's what I thought. I am not sure whether this 
 particular requirement is the best way to proceed since obviously you 
 cannot have any other rules with lesser priority after the ones doing 
 the 'return' -- whatever those rules may be doing.
Not in the same chain, but  if a chain is checking multiple
allowed values for the same field, that's all that chain should be doing.
Checking some other condition should be done after passing, e.g., the IP
address checks and would be done because of the RETURN. Current code 
does
an ACCEPT or REJECT at that point, so *requires* modification of the
existing chain.
Any current filters are even worse because without RETURN and
CONTINUE, they can only accept or drop a packet without further 
processing.
With this patchset, you can apply multiple tests to the same packet with
only the restriction that testing other fields in that packet require a 
different
subchain-- something not possible at all today.
If, for example, you want to allow 100 ports and a particular IP
address, reject everything else, won't that require a DROP rule for
65436 ports so that you don't accept either based on just the port or
just the IP address? Or , you'd have to combine the IP address check in
every port-check rule and do it before you do the blanket  ACCEPT in
the standard rule.


 An alternative would be to say that the existing filters work with the 
 IP address learning thread and we would need to introduce new filters 
 for support of multiple IP addresses. Yes, the current filters aren't 
 prepare for supporting multiple IP addresses per interface.

Yes, I thought about this, but it really is just duplicating the
entire set with a different name. I think especially without support
for RETURN/CONTINUE, as a practical matter the only way to modify the
current filters to do interesting things is to replace them. Anyone doing
that will not be affected by a change to the standard rules, except for
the possibly trivial addition of a -j ACCEPT at the end if they require
a default ACCEPT for the modified rules.

 I don't think replacing the existing filters would be a problem per-se, 
 but I don't like that the priority of the rules doing the 'RETURN' is 
 assumed to be the lowest in the chain and we can just append anything to 

 the end of the chain -- the filters we are writing are just examples and 

 someone may come up with a few rules that do something with packets that 

 were not RETURN'ed and thus needs to have rules executing behind those. 
 Again, maybe (the less efficient but more generic way of) instantiating 
 the filters by calling the virNWFilterInstantiateFilterLate() could 
 solve part of the problem.

The only use I've added for addRules is the
multiple address check and that should not have other random fields in
the same chain. Better would be to have a different chain linked at the
top after the address checks. In fact, for compatibility, it'd be possible
to change the address checks to a different chain and leave an empty
ip  and arp chain that does only accept. It's just that it isn't 
really all
that compatible if what's really happening is that a customer is replacing
the existing chains with modifications, rather than applying additional 
rules
to it.
In the end, any modification whatsoever to the examples 
directory
requires someone who has customized a filter to look at the customization
again. Addition of RETURN/CONTINUE makes that easier in the future. 
With
the existing filters, any customization cannot be independent of the 
internals
of the existing filters (it's adding rules in the middle of it), so the 
only
way to maintain compatibility is to never change them.
With RETURN/CONTINUE and your suggested user-defined chain(s), 
you
can apply the standard sets with RETURN for acceptable packets and then
apply any user-defined checks  also to the same packets afterwards. I 
think
that's the right approach, but it requires either changing the existing 
chains
or introducing a completely parallel set and not using the original 
filters
at all, except for sites that want the old stuff only.


+-DLS



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

2011-10-17 Thread Stefan Berger


On 10/17/2011 05:22 PM, David Stevens wrote:

Stefan Bergerstef...@linux.vnet.ibm.com  wrote on 10/17/2011 10:29:08
AM:


Yes, '_at_the_end_', that's what I thought. I am not sure whether this
particular requirement is the best way to proceed since obviously you
cannot have any other rules with lesser priority after the ones doing
the 'return' -- whatever those rules may be doing.

 Not in the same chain, but  if a chain is checking multiple
allowed values for the same field, that's all that chain should be doing.
Sure, and what if I wanted to do something with packets that were not 
RETURN'ed, where would I treat them besides *after* the RETURN?

Checking some other condition should be done after passing, e.g., the IP
address checks and would be done because of the RETURN. Current code
does
an ACCEPT or REJECT at that point, so *requires* modification of the
existing chain.
 Any current filters are even worse because without RETURN and
CONTINUE, they can only accept or drop a packet without further
processing.

Not arguing against that.

With this patchset, you can apply multiple tests to the same packet with
only the restriction that testing other fields in that packet require a
different
subchain-- something not possible at all today.
 If, for example, you want to allow 100 ports and a particular IP
address, reject everything else, won't that require a DROP rule for
65436 ports so that you don't accept either based on just the port or
just the IP address? Or , you'd have to combine the IP address check in
every port-check rule and do it before you do the blanket  ACCEPT in
the standard rule.



An alternative would be to say that the existing filters work with the
IP address learning thread and we would need to introduce new filters
for support of multiple IP addresses. Yes, the current filters aren't
prepare for supporting multiple IP addresses per interface.

 Yes, I thought about this, but it really is just duplicating the
entire set with a different name. I think especially without support
for RETURN/CONTINUE, as a practical matter the only way to modify the
current filters to do interesting things is to replace them. Anyone doing
that will not be affected by a change to the standard rules, except for
the possibly trivial addition of a -j ACCEPT at the end if they require
a default ACCEPT for the modified rules.


I don't think replacing the existing filters would be a problem per-se,
but I don't like that the priority of the rules doing the 'RETURN' is
assumed to be the lowest in the chain and we can just append anything to
the end of the chain -- the filters we are writing are just examples and
someone may come up with a few rules that do something with packets that
were not RETURN'ed and thus needs to have rules executing behind those.
Again, maybe (the less efficient but more generic way of) instantiating
the filters by calling the virNWFilterInstantiateFilterLate() could
solve part of the problem.

 The only use I've added for addRules is the
multiple address check and that should not have other random fields in
the same chain. Better would be to have a different chain linked at the
What if in the future we were to support ebtables logging and wanted to 
log any packet that has not been handled with a RETURN, thus for example 
logging MAC spoofing -- just as an example. I don't see how one would do 
that without adding rules into the mac chain *after* the rules that do 
the RETURN for packets with acceptable source MAC addresses and all 
others get logged. I would not call these 'random fields' being 
evaluated, but that the implementation of addRules() requires the 
filters to be limited in a way that may at some point become a problem 
for some use cases and someone has to reimplement it then.


   Stefan


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

2011-10-12 Thread David L Stevens

This patch simplifies the table rules by setting the protocol chains
policy to be DROP and removes the explicit -j DROP entries that the
protocol rules had previously. It also makes no-other-rarp-traffic.xml
obsolete.

Signed-off-by: David L Stevens dlstev...@us.ibm.com
---
 examples/xml/nwfilter/Makefile.am   |1 -
 examples/xml/nwfilter/no-arpip-spoofing.xml |2 --
 examples/xml/nwfilter/no-arpmac-spoofing.xml|2 --
 examples/xml/nwfilter/no-ip-spoofing.xml|2 --
 examples/xml/nwfilter/no-mac-spoofing.xml   |2 --
 examples/xml/nwfilter/no-other-rarp-traffic.xml |3 ---
 examples/xml/nwfilter/qemu-announce-self.xml|1 -
 src/nwfilter/nwfilter_ebiptables_driver.c   |   11 +--
 8 files changed, 1 insertions(+), 23 deletions(-)
 delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml

diff --git a/examples/xml/nwfilter/Makefile.am 
b/examples/xml/nwfilter/Makefile.am
index 84aaa3c..67085fa 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -18,7 +18,6 @@ FILTERS = \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
no-other-l2-traffic.xml \
-   no-other-rarp-traffic.xml \
qemu-announce-self.xml \
qemu-announce-self-rarp.xml
 
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml 
b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
rule action='return' direction='out' priority='410' 
arp match='yes' arpsrcipaddr='0.0.0.0' /
/rule
-   !-- drop everything else --
-   rule action='drop' direction='out' priority='1000' /
 /filter
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml 
b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
rule action='return' direction='out' priority='350' 
arp match='yes' arpsrcmacaddr='$MAC'/
/rule
-   !-- drop everything else --
-   rule action='drop' direction='out' priority='1000' /
 /filter
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml 
b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
 rule action='return' direction='out'
 ip match='yes' srcipaddr='$IP' /
 /rule
-!-- drop any that don't match the source IP list --
-rule action='drop' direction='out' /
 /filter
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml 
b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
rule action='return' direction='out' priority='350' 
mac match='yes' srcmacaddr='$MAC'/
/rule
-   !-- drop everything else --
-   rule action='drop' direction='out' priority='1000' /
 /filter
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml 
b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-filter name='no-other-rarp-traffic' chain='rarp'
-rule action='drop' direction='inout' priority='1000'/
-/filter
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml 
b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@
 
 !-- accept if it was changed to rarp --
 filterref filter='qemu-announce-self-rarp'/
-filterref filter='no-other-rarp-traffic'/
 
 /filter
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c 
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 3c6fca7..e6a4880 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2791,7 +2791,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
 protostr[0] = '\0';
 
 virBufferAsprintf(buf,
-  CMD_DEF(%s -t %s -N %s) CMD_SEPARATOR
+  CMD_DEF(%s -t %s -N %s -P DROP) CMD_SEPARATOR
   CMD_EXEC
   %s
   CMD_DEF(%s -t %s -A %s %s -j %s) CMD_SEPARATOR
@@ -3015,15 +3015,6 @@ ebtablesApplyBasicRules(const char *ifname,
 
 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
 virBufferAsprintf(buf,
-  CMD_DEF(%s -t %s -A %s -s ! %s -j DROP) CMD_SEPARATOR
-  CMD_EXEC
-  %s,
-
-  ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
-  chain, macaddr_str,
-  CMD_STOPONERR(1));
-
-virBufferAsprintf(buf,

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

[libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

6 matches

Site Navigation

Mail list logo

Footer information