xenbits.xensource.com Git - people/liuw/libxenctrl-split/libvirt.git/commit

author	Stefan Berger <stefanb@linux.vnet.ibm.com>
	Fri, 18 Nov 2011 16:58:18 +0000 (11:58 -0500)
committer	Stefan Berger <stefanb@us.ibm.com>
	Fri, 18 Nov 2011 16:58:18 +0000 (11:58 -0500)
commit	ea7c73a76f63a88a34bc06649f3d7f934fd0a18f
tree	e9d91cd080b53eb3155f1f9252c42a41615f0279	tree
parent	2657822e873df2442495e418d5851c90e3de9604	commit \| diff

Enable chains with names having a known prefix

This patch enables chains that have a known prefix in their name.
Known prefixes are: 'ipv4', 'ipv6', 'arp', 'rarp'. All prefixes
are also protocols that can be evaluated on the ebtables level.

Following the prefix they will be automatically connected to an interface's
'root' chain and jumped into following the protocol they evaluate, i.e.,
a table 'arp-xyz' will be accessed from the root table using

ebtables -t nat -A <iface root table> -p arp -j I-<ifname>-arp-xyz

thus generating a 'root' chain like this one here:

Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p ARP -j O-vnet0-arp
-p 0x8035 -j O-vnet0-rarp
-p ARP -j O-vnet0-arp-xyz
-j DROP

where the chain 'arp-xyz' is accessed for filtering of ARP packets.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

docs/schemas/nwfilter.rng		diff \| blob \| blame \| history
src/conf/nwfilter_conf.c		diff \| blob \| blame \| history
src/conf/nwfilter_conf.h		diff \| blob \| blame \| history