[libvirt] [PATCH] nwfilter: Fix instantiated layer 2 rules for 'inout' direction
Stefan Berger
stefanb at us.ibm.com
Tue Apr 6 14:35:01 UTC 2010
Eric Blake <eblake at redhat.com> wrote on 04/06/2010 10:30:16 AM:
>
> On 04/05/2010 07:27 PM, Stefan Berger wrote:
> > The following rule in direction 'inout'
> >
> > <rule direction='inout' action='drop'>
> > <mac srcmacaddr='1:2:3:4:5:6'/>
> > </rule>
> >
> > now drops all traffic from and to the given MAC address.
> > So far it would have dropped traffic from the given MAC address
> > and outgoing traffic with the given MAC address, which is not useful
> > since the packets will always have the VM's MAC address as source
> > MAC address.
>
> Agreed that a bi-directional filter is morally equivalent to filtering
> src on input and dst on output.
>
> > @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre
> > goto err_exit;
> >
> > virBufferVSprintf(&buf,
> > - " --ip6-source-port %s %s",
> > + " %s %s %s",
> > + (!reverse) ? "--ip6-source-port" : "--
> ip6-destination-port",
>
> Avoid negative logic; this would be better as:
>
> reverse ? "--ip6-destination-port" : "--ip6-source-port"
>
Yes, fixed this everywhere in the meantime...
> > @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP
> > rule,
> > ifname,
> > vars,
> > - res);
> > + res,
> > + 0);
>
> s/0/false/, to match the prototype being bool.
>
> ACK, with those tweaks.
Will do and push.
Thanks.
Stefan
>
> --
> Eric Blake eblake at redhat.com +1-801-349-2682
> Libvirt virtualization library http://libvirt.org
>
> [attachment "signature.asc" deleted by Stefan Berger/Watson/IBM]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100406/3dd572c9/attachment-0001.htm>
More information about the libvir-list
mailing list