[libvirt] [PATCH] nwfiler: fix due to non-symmetric src mac address match in iptables

Stefan Berger stefanb at us.ibm.com
Wed Apr 7 10:41:22 UTC 2010


Daniel Veillard <veillard at redhat.com> wrote on 04/07/2010 03:55:19 AM:


> On Tue, Apr 06, 2010 at 03:55:26PM -0400, Stefan Berger wrote:
> > The attached patch fixes a problem due to the mac match in iptables 
only
> > supporting --mac-source and no --mac-destination, thus it not being
> > symmetric. Therefore a rule like this one
> > 
> > <rule action='drop' direction='out'>
> >   <all match='no' srcmacaddr='$MAC'/>
> > </rule>
> > 
> > should only have the MAC match on traffic leaving the VM and not test
> > for the same source MAC address on traffic that the VM receives.
> > 
> > Signed-off-by: Stefan Berger <stefanb at us.ibm.com>
> > 
> 
>   Okay, I had to check _iptablesCreateRuleInstance() source to find out
> it's a giant switch, then patch makes sense, looks low risk and well
> contained,
> 
> ACK,
> 
Thanks. Pushed.

   Stefan

> Daniel
> 
> -- 
> Daniel Veillard      | libxml Gnome XML XSLT toolkit  
http://xmlsoft.org/
> daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
> http://veillard.com/ | virtualization library  http://libvirt.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100407/b2bd4ef4/attachment-0001.htm>


More information about the libvir-list mailing list