[libvirt] [PATCH] nwfilter: Fix instantiated layer 2 rules for 'inout' direction

Eric Blake eblake at redhat.com
Tue Apr 6 14:30:16 UTC 2010


On 04/05/2010 07:27 PM, Stefan Berger wrote:
> The following rule in direction 'inout'
> 
> <rule direction='inout' action='drop'>
>   <mac srcmacaddr='1:2:3:4:5:6'/>
> </rule>
> 
> now drops all traffic from and to the given MAC address.
> So far it would have dropped traffic from the given MAC address
> and outgoing traffic with the given MAC address, which is not useful
> since the packets will always have the VM's MAC address as source
> MAC address.

Agreed that a bi-directional filter is morally equivalent to filtering
src on input and dst on output.

> @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre
>                  goto err_exit;
>  
>              virBufferVSprintf(&buf,
> -                          " --ip6-source-port %s %s",
> +                          " %s %s %s",
> +                          (!reverse) ? "--ip6-source-port" : "--ip6-destination-port",

Avoid negative logic; this would be better as:

reverse ? "--ip6-destination-port" : "--ip6-source-port"

> @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP
>                                              rule,
>                                              ifname,
>                                              vars,
> -                                            res);
> +                                            res,
> +                                            0);

s/0/false/, to match the prototype being bool.

ACK, with those tweaks.

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 323 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100406/231f9d84/attachment-0001.sig>


More information about the libvir-list mailing list