<tt>Eric Blake <eblake@redhat.com> wrote on 04/06/2010 10:30:16 AM: </tt> <tt>> > On 04/05/2010 07:27 PM, Stefan Berger wrote: > > The following rule in direction 'inout' > > > > <rule direction='inout' action='drop'> > > <mac srcmacaddr='1:2:3:4:5:6'/> > > </rule> > > > > now drops all traffic from and to the given MAC address. > > So far it would have dropped traffic from the given MAC address > > and outgoing traffic with the given MAC address, which is not useful > > since the packets will always have the VM's MAC address as source > > MAC address. > > Agreed that a bi-directional filter is morally equivalent to filtering > src on input and dst on output. > > > @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre > > goto err_exit; > > > > virBufferVSprintf(&buf, > > - " --ip6-source-port %s %s", > > + " %s %s %s", > > + (!reverse) ? "--ip6-source-port" : "-- > ip6-destination-port", > > Avoid negative logic; this would be better as: > > reverse ? "--ip6-destination-port" : "--ip6-source-port" > </tt> <tt>Yes, fixed this everywhere in the meantime...</tt> <tt> > > @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP > > rule, > > ifname, > > vars, > > - res); > > + res, > > + 0); > > s/0/false/, to match the prototype being bool. > > ACK, with those tweaks.</tt> <tt>Will do and push.</tt> <tt> Thanks. </tt> <tt> Stefan</tt> <tt> > > -- > Eric Blake eblake@redhat.com +1-801-349-2682 > Libvirt virtualization library </tt><a href=http://libvirt.org/><tt>http://libvirt.org</tt></a><tt> > > [attachment "signature.asc" deleted by Stefan Berger/Watson/IBM] </tt>