[libvirt-users] problem with nwfilter direction='out'

[Stephan Sachse]

i test the following simple filter

<filter name='nwfilter-test-fedora2' chain='root'>
  <uuid>ccbd255f-4be5-4f0f-8835-770ea40cb2c9</uuid>
  <rule action='accept' direction='out' priority='500'>
    <tcp dstipaddr='10.1.24.0' dstipmask='24' comment='test test test'/>
  </rule>
</filter>

but i get strange results (look at the attached output of iptables-save)

for me it looks like the direction='out' filters are attached to every
chain for this domain. additional there are wrong conntrack, state and
ctdir matches.

is this a bug or my fault?

/stephan

-- 
Software is like sex, it's better when it's free!
-------------- next part --------------
# Generated by iptables-save v1.4.7 on Wed Feb 19 20:19:32 2014
*filter
:INPUT ACCEPT [505:35572]
:FORWARD ACCEPT [978:118388]
:OUTPUT ACCEPT [443:79948]
:FI-veth0-fedora2 - [0:0]
:FO-veth0-fedora2 - [0:0]
:HI-veth0-fedora2 - [0:0]
:libvirt-host-in - [0:0]
:libvirt-in - [0:0]
:libvirt-in-post - [0:0]
:libvirt-out - [0:0]
-A INPUT -j libvirt-host-in 
-A FORWARD -j libvirt-in 
-A FORWARD -j libvirt-out 
-A FORWARD -j libvirt-in-post 
-A FI-veth0-fedora2 -d 10.1.24.0/24 -p tcp -m state --state NEW,ESTABLISHED -m conntrack --ctdir ORIGINAL-m comment --comment "test test test" -j RETURN 
-A FO-veth0-fedora2 -s 10.1.24.0/24 -p tcp -m state --state ESTABLISHED -m conntrack --ctdir REPLY-m comment --comment "test test test" -j ACCEPT 
-A HI-veth0-fedora2 -d 10.1.24.0/24 -p tcp -m state --state NEW,ESTABLISHED -m conntrack --ctdir ORIGINAL-m comment --comment "test test test" -j RETURN 
-A libvirt-host-in -m physdev --physdev-in veth0-fedora2 -g HI-veth0-fedora2 
-A libvirt-in -m physdev --physdev-in veth0-fedora2 -g FI-veth0-fedora2 
-A libvirt-in-post -m physdev --physdev-in veth0-fedora2 -j ACCEPT 
-A libvirt-out -m physdev --physdev-out veth0-fedora2 --physdev-is-bridged -g FO-veth0-fedora2 
COMMIT
# Completed on Wed Feb 19 20:19:32 2014