subject:"\[libvirt\] \[libvirt PATCHv3 05\/10\] allow chain modification"

[libvirt] [libvirt PATCHv3 05/10] allow chain modification

2011-10-12 Thread David L Stevens

This patch adds the internal capability to add rules to existing
chains instead of using temporary chains and to generate placeholders for
chains that are referenced without generating a rule for them immediately.
Finally, it includes variable matching for filter instantiation
(i.e., instantiate only when a given variable is present in a filter, or
only when it is not).

Signed-off-by: David L Stevens 
---
 src/conf/nwfilter_conf.h  |4 +-
 src/nwfilter/nwfilter_ebiptables_driver.c |   93 +
 src/nwfilter/nwfilter_gentech_driver.c|   32 +-
 3 files changed, 100 insertions(+), 29 deletions(-)

diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 17e954e..4348378 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -525,7 +525,9 @@ typedef int (*virNWFilterRuleCreateInstance)(virConnectPtr 
conn,
  virNWFilterRuleDefPtr rule,
  const char *ifname,
  virNWFilterHashTablePtr vars,
- virNWFilterRuleInstPtr res);
+ virNWFilterRuleInstPtr res,
+ bool usetemp,
+ bool dummy);
 
 typedef int (*virNWFilterRuleApplyNewRules)(virConnectPtr conn,
 const char *ifname,
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c 
b/src/nwfilter/nwfilter_ebiptables_driver.c
index e6a4880..918625c 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1136,6 +1136,7 @@ iptablesEnforceDirection(int directionIn,
  * @isIPv6 : Whether this is an IPv6 rule
  * @maySkipICMP : whether this rule may under certain circumstances skip
  *   the ICMP rule from being created
+ * @dummy : generate rule placeholder without installing
  *
  * Convert a single rule into its representation for later instantiation
  *
@@ -1154,7 +1155,8 @@ _iptablesCreateRuleInstance(int directionIn,
 const char *match, bool defMatch,
 const char *accept_target,
 bool isIPv6,
-bool maySkipICMP)
+bool maySkipICMP,
+bool dummy)
 {
 char chain[MAX_CHAINNAME_LENGTH];
 char number[20];
@@ -1181,6 +1183,13 @@ _iptablesCreateRuleInstance(int directionIn,
 
 PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
+if (dummy) {
+virBufferAsprintf(&buf, CMD_DEF_PRE "%s -- %s -%%c %s %%s",
+  "echo", iptables_cmd, chain);
+bufUsed = virBufferUse(&buf);
+goto prskip;
+}
+
 switch (rule->prtclType) {
 case VIR_NWFILTER_RULE_PROTOCOL_TCP:
 case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
@@ -1521,6 +1530,8 @@ _iptablesCreateRuleInstance(int directionIn,
 return -1;
 }
 
+prskip:
+
 if ((srcMacSkipped && bufUsed == virBufferUse(&buf)) ||
  skipRule) {
 virBufferFreeAndReset(&buf);
@@ -1636,7 +1647,9 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
 const char *ifname,
 virNWFilterHashTablePtr vars,
 virNWFilterRuleInstPtr res,
-bool isIPv6)
+bool isIPv6,
+bool usetemp,
+bool dummy)
 {
 int rc;
 int directionIn = 0;
@@ -1668,7 +1681,7 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
 return 1;
 }
 
-chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
+chainPrefix[1] = usetemp ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_IN;
 if (create) {
 rc = _iptablesCreateRuleInstance(directionIn,
  chainPrefix,
@@ -1680,7 +1693,8 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
  matchState, false,
  "RETURN",
  isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ dummy);
 
 VIR_FREE(matchState);
 if (rc)
@@ -1700,7 +1714,8 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
 return 1;
 }
 
-chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
+chainPrefix[1] = usetemp ? CHAINPREFIX_HOST_OUT_TEMP :
+ CHAINPREFIX_HOST_OUT;
 if (create) {
 rc = _iptablesCreateRuleInstance(!directionIn,
  chainPrefix,
@@ -17

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

2011-10-17 Thread Stefan Berger


On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch adds the internal capability to add rules to existing
chains instead of using temporary chains and to generate placeholders for
chains that are referenced without generating a rule for them immediately.
Finally, it includes variable matching for filter instantiation
(i.e., instantiate only when a given variable is present in a filter, or
only when it is not).

Following the above I am not sure what this will be used for as part of 
this extension.



Signed-off-by: David L Stevens
---
  src/conf/nwfilter_conf.h  |4 +-
  src/nwfilter/nwfilter_ebiptables_driver.c |   93 +
  src/nwfilter/nwfilter_gentech_driver.c|   32 +-
  3 files changed, 100 insertions(+), 29 deletions(-)

diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 17e954e..4348378 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -525,7 +525,9 @@ typedef int (*virNWFilterRuleCreateInstance)(virConnectPtr 
conn,
   virNWFilterRuleDefPtr rule,
   const char *ifname,
   virNWFilterHashTablePtr vars,
- virNWFilterRuleInstPtr res);
+ virNWFilterRuleInstPtr res,
+ bool usetemp,
+ bool dummy);

  typedef int (*virNWFilterRuleApplyNewRules)(virConnectPtr conn,
  const char *ifname,
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c 
b/src/nwfilter/nwfilter_ebiptables_driver.c
index e6a4880..918625c 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1136,6 +1136,7 @@ iptablesEnforceDirection(int directionIn,
   * @isIPv6 : Whether this is an IPv6 rule
   * @maySkipICMP : whether this rule may under certain circumstances skip
   *   the ICMP rule from being created
+ * @dummy : generate rule placeholder without installing
   *
   * Convert a single rule into its representation for later instantiation
   *
@@ -1154,7 +1155,8 @@ _iptablesCreateRuleInstance(int directionIn,
  const char *match, bool defMatch,
  const char *accept_target,
  bool isIPv6,
-bool maySkipICMP)
+bool maySkipICMP,
+bool dummy)
  {
  char chain[MAX_CHAINNAME_LENGTH];
  char number[20];
@@ -1181,6 +1183,13 @@ _iptablesCreateRuleInstance(int directionIn,

  PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);

+if (dummy) {
+virBufferAsprintf(&buf, CMD_DEF_PRE "%s -- %s -%%c %s %%s",
+  "echo", iptables_cmd, chain);
+bufUsed = virBufferUse(&buf);
+goto prskip;
+}
+
  switch (rule->prtclType) {
  case VIR_NWFILTER_RULE_PROTOCOL_TCP:
  case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
@@ -1521,6 +1530,8 @@ _iptablesCreateRuleInstance(int directionIn,
  return -1;
  }

+prskip:
+
  if ((srcMacSkipped&&  bufUsed == virBufferUse(&buf)) ||
   skipRule) {
  virBufferFreeAndReset(&buf);
@@ -1636,7 +1647,9 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
  const char *ifname,
  virNWFilterHashTablePtr vars,
  virNWFilterRuleInstPtr res,
-bool isIPv6)
+bool isIPv6,
+bool usetemp,
+bool dummy)
  {
  int rc;
  int directionIn = 0;
@@ -1668,7 +1681,7 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
  return 1;
  }

-chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
+chainPrefix[1] = usetemp ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_IN;
  if (create) {
  rc = _iptablesCreateRuleInstance(directionIn,
   chainPrefix,
@@ -1680,7 +1693,8 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
   matchState, false,
   "RETURN",
   isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ dummy);

  VIR_FREE(matchState);
  if (rc)
@@ -1700,7 +1714,8 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
  return 1;
  }

-chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
+chainPrefix[1] = usetemp ? CHAINPREFIX_HOST_OUT_TEMP :

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

2011-10-17 Thread David Stevens

Stefan Berger  wrote on 10/17/2011 09:07:12 
AM:

> On 10/12/2011 03:50 PM, David L Stevens wrote:
> >This patch adds the internal capability to add rules to existing
> > chains instead of using temporary chains and to generate placeholders 
for
> > chains that are referenced without generating a rule for them 
immediately.
> > Finally, it includes variable matching for filter instantiation
> > (i.e., instantiate only when a given variable is present in a filter, 
or
> > only when it is not).
> >
> Following the above I am not sure what this will be used for as part of 
> this extension.

This is used to add rules to existing chains when a new IP address 
is
discovered (i.e., a DHCP ACK from a server occurs). The existing code 
builds
the entire chain as a temporary chain and then swaps it in, which is only
appropriate at start-up. For DHCP snooping, we want to add and remove 
rules
that reference "IP" using a particular value (the address for the ACK or
lease expiration) without affecting other rules that don't reference IP or
have a different address value. "removeRules" was already there, but 
"addRules"
was not.

 +-DLS

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

2011-10-17 Thread Stefan Berger


On 10/17/2011 01:23 PM, David Stevens wrote:

Stefan Berger  wrote on 10/17/2011 09:07:12
AM:


On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch adds the internal capability to add rules to existing
chains instead of using temporary chains and to generate placeholders

for

chains that are referenced without generating a rule for them

immediately.

Finally, it includes variable matching for filter instantiation
(i.e., instantiate only when a given variable is present in a filter,

or

only when it is not).


Following the above I am not sure what this will be used for as part of
this extension.

 This is used to add rules to existing chains when a new IP address
is
discovered (i.e., a DHCP ACK from a server occurs). The existing code
builds
the entire chain as a temporary chain and then swaps it in, which is only
appropriate at start-up. For DHCP snooping, we want to add and remove
rules
that reference "IP" using a particular value (the address for the ACK or
lease expiration) without affecting other rules that don't reference IP or
have a different address value. "removeRules" was already there, but
"addRules"
was not.
Yes, then I understood this correctly. See the other mails regarding the 
problems I am seeing with it. If there was a way to figure out at what 
position to insert a rule into an existing chain, i.e. at position 5, 
rather than always at the end, we could use this addRules() call, 
otherwise I find it very limiting.


   Stefan


  +-DLS



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

2011-10-17 Thread David Stevens

Stefan Berger  wrote on 10/17/2011 10:31:29 
AM:


> > was not.
> Yes, then I understood this correctly. See the other mails regarding the 

> problems I am seeing with it. If there was a way to figure out at what 
> position to insert a rule into an existing chain, i.e. at position 5, 
> rather than always at the end, we could use this addRules() call, 
> otherwise I find it very limiting.

I'm not sure if I answered this already for you or not, but you
can -- by using the priority in the rule. If we don't use the policy
and so have to have a "-j DROP" at the end, then we'd want the original
filter to use "-1" (if I'm remembering correctly -- 1 before end??). You
can specify the rule be added at any point; "IP" rules would all have
the same priority, because they originate from the same line in the 
filter,
but you can use the priority to offset from the end or beginning, or
any fixed point in the chain.

+-DLS

PS - I haven't tried using negative priorities with nwfilter, but
ebtables/iptables supports it, at least.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

2011-10-17 Thread Stefan Berger


On 10/17/2011 01:58 PM, David Stevens wrote:

Stefan Berger  wrote on 10/17/2011 10:31:29
AM:



was not.

Yes, then I understood this correctly. See the other mails regarding the
problems I am seeing with it. If there was a way to figure out at what
position to insert a rule into an existing chain, i.e. at position 5,
rather than always at the end, we could use this addRules() call,
otherwise I find it very limiting.

 I'm not sure if I answered this already for you or not, but you
can -- by using the priority in the rule. If we don't use the policy
and so have to have a "-j DROP" at the end, then we'd want the original
filter to use "-1" (if I'm remembering correctly -- 1 before end??). You
can specify the rule be added at any point; "IP" rules would all have
the same priority, because they originate from the same line in the
filter,
but you can use the priority to offset from the end or beginning, or
any fixed point in the chain.

 +-DLS

PS - I haven't tried using negative priorities with nwfilter, but
 ebtables/iptables supports it, at least.
The ebtables / iptables insertion of rules is based on position of the 
rule relative to other existing rules and has nothing to do with 
nwfilter priority  which servers sorting of rules relative to each other 
beyond what their occurrence in the XML provides. So the priority 
doesn't map directly into the position of the rule as ebtables/iptables 
needs it.


Stefan

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [libvirt PATCHv3 05/10] allow chain modification

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

6 matches

Site Navigation

Mail list logo

Footer information