[libvirt] [PATCH] nwfilter: Clear all state tracking from a drop rule

Daniel P. Berrange berrange at redhat.com
Fri Apr 16 11:09:12 UTC 2010


On Fri, Apr 16, 2010 at 06:33:50AM -0400, Stefan Berger wrote:
> Don't use state-matching in a drop rule.
> 
> Signed-off-by: Stefan Berger <stefanb at us.ibm.com>
> 
> Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> ===================================================================
> --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -1380,13 +1380,16 @@ _iptablesCreateRuleInstance(int directio
>          return 0;
>      }
>  
> -    if (match)
> -        virBufferVSprintf(&buf, " %s", match);
> -
>      if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
>          target = accept_target;
> -    else
> +    else {
>          target = "DROP";
> +        match = NULL;
> +    }
> +
> +    if (match)
> +        virBufferVSprintf(&buf, " %s", match);
> +
>  
>      virBufferVSprintf(&buf,
>                        " -j %s" CMD_DEF_POST CMD_SEPARATOR
> 

ACK

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvir-list mailing list