[libvirt] [PATCH] nwfilter: Fix instantiated layer 2 rules for 'inout' direction
Eric Blake
eblake at redhat.com
Tue Apr 6 14:30:16 UTC 2010
On 04/05/2010 07:27 PM, Stefan Berger wrote:
> The following rule in direction 'inout'
>
> <rule direction='inout' action='drop'>
> <mac srcmacaddr='1:2:3:4:5:6'/>
> </rule>
>
> now drops all traffic from and to the given MAC address.
> So far it would have dropped traffic from the given MAC address
> and outgoing traffic with the given MAC address, which is not useful
> since the packets will always have the VM's MAC address as source
> MAC address.
Agreed that a bi-directional filter is morally equivalent to filtering
src on input and dst on output.
> @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre
> goto err_exit;
>
> virBufferVSprintf(&buf,
> - " --ip6-source-port %s %s",
> + " %s %s %s",
> + (!reverse) ? "--ip6-source-port" : "--ip6-destination-port",
Avoid negative logic; this would be better as:
reverse ? "--ip6-destination-port" : "--ip6-source-port"
> @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP
> rule,
> ifname,
> vars,
> - res);
> + res,
> + 0);
s/0/false/, to match the prototype being bool.
ACK, with those tweaks.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 323 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100406/231f9d84/attachment-0001.sig>
More information about the libvir-list
mailing list