support continue/return targets in nwfilter

	This patch adds support for "continue" and "return" actions
in filter rules.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>

diff --git a/AUTHORS b/AUTHORS
index 0b7f76afcc058492840220f51b5baed11c279f56..b3da70523c37c1f9261baac2637fa491099a9bbd 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -198,6 +198,7 @@ Patches have also been contributed by:
   Tang Chen            <tangchen@cn.fujitsu.com>
   Dan Horák            <dan@danny.cz>
   Sage Weil            <sage@newdream.net>
+  David L Stevens      <dlstevens@us.ibm.com>
 
   [....send patches to get your name here....]
 

diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 8df4a930406b42bf4a92cf041e12df3251a71d18..5e9daeaddf5072d4f69ee193bfaeffa466384467 100644 (file)
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -258,11 +258,19 @@
     </p>
     <ul>
      <li>
-        action -- mandatory; must either be <code>drop</code>,
-        <code>reject</code><span class="since">(since 0.9.0)</span>,
-        or <code>accept</code> if
-        the evaluation of the filtering rule is supposed to drop,
-        reject (using ICMP message), or accept a packet
+        action -- mandatory; must either be <code>drop</code>
+        (matching the rule silently discards the packet with no
+        further analysis),
+        <code>reject</code> (matching the rule generates an ICMP
+        reject message with no further analysis) <span class="since">(since
+        0.9.0)</span>, <code>accept</code> (matching the rule accepts
+        the packet with no further analysis), <code>return</code>
+        (matching the rule passes this filter, but returns control to
+        the calling filter for further
+        analysis) <span class="since">(since 0.9.7)</span>,
+        or <code>continue<code> (matching the rule goes on to the next
+        rule for further analysis) <span class="since">(since
+        0.9.7)</span>.
      </li>
      <li>
         direction -- mandatory; must either be <code>in</code>, <code>out</code> or

diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index 08ede48fa9a48050746b4a4533d25699b8ad007e..e0c2fb630f606b04e1b2b4991dec0d913be8f087 100644 (file)
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -55,12 +55,16 @@
 VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST,
               "drop",
               "accept",
-              "reject");
+              "reject",
+              "return",
+              "continue");
 
 VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST,
               "DROP",
               "ACCEPT",
-              "REJECT");
+              "REJECT",
+              "RETURN",
+              "CONTINUE");
 
 VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST,
               "in",

diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 5306403a78118cc4cac87dc72b965aee7884048b..c96851aabbb4780c834cbc127d3cb2962932fdf4 100644 (file)
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -299,6 +299,8 @@ enum virNWFilterRuleActionType {
     VIR_NWFILTER_RULE_ACTION_DROP = 0,
     VIR_NWFILTER_RULE_ACTION_ACCEPT,
     VIR_NWFILTER_RULE_ACTION_REJECT,
+    VIR_NWFILTER_RULE_ACTION_RETURN,
+    VIR_NWFILTER_RULE_ACTION_CONTINUE,
 
     VIR_NWFILTER_RULE_ACTION_LAST,
 };