[libvirt] PATCH: Fix removal of iptables FORWARD rules

Daniel P. Berrange berrange at redhat.com
Tue May 20 20:44:01 UTC 2008 

The previous patch to add routed networking broke the removal of one of the
FORWARD rules at shutdown. It was adding

 /sbin/iptables --table filter --insert FORWARD 
    --destination 192.168.122.0/255.255.255.0 
    --out-interface virbr0 --match state 
    --state ESTABLISHED,RELATED --jump ACCEPT

But trying to remove

 /sbin/iptables --table filter --delete FORWARD
    --destination 192.168.122.0/255.255.255.0
    --out-interface virbr0 --jump ACCEPT

which wasn't matching on the state flags. This patch makes it use the correct
removal code

Dan.

Index: src/qemu_driver.c
===================================================================
RCS file: /data/cvs/libvirt/src/qemu_driver.c,v
retrieving revision 1.76
diff -u -r1.76 qemu_driver.c
--- src/qemu_driver.c	16 May 2008 16:51:30 -0000	1.76
+++ src/qemu_driver.c	20 May 2008 20:41:03 -0000
@@ -1209,12 +1213,20 @@
                          struct qemud_network *network) {
     if (network->def->forward) {
         iptablesRemoveForwardMasquerade(driver->iptables,
-                                     network->def->network,
-                                     network->def->forwardDev);
-        iptablesRemoveForwardAllowIn(driver->iptables,
-                                   network->def->network,
-                                   network->bridge,
-                                   network->def->forwardDev);
+                                        network->def->network,
+                                        network->def->forwardDev);
+
+        if (network->def->forwardMode == QEMUD_NET_FORWARD_NAT)
+            iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+                                                network->def->network,
+                                                network->bridge,
+                                                network->def->forwardDev);
+        else if (network->def->forwardMode == QEMUD_NET_FORWARD_ROUTE)
+            iptablesRemoveForwardAllowIn(driver->iptables,
+                                         network->def->network,
+                                         network->bridge,
+                                         network->def->forwardDev);
+
         iptablesRemoveForwardAllowOut(driver->iptables,
                                       network->def->network,
                                       network->bridge,

-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list