[libvirt] [PATCH 1/2] nwfilter: address coverity findings
by Stefan Berger
This patch addresses the following coverity findings:
/libvirt/src/conf/nwfilter_params.c:157:
deref_parm: Directly dereferencing parameter "val".
/libvirt/src/conf/nwfilter_params.c:473:
negative_returns: Using variable "iterIndex" as an index to array
"res->iter".
/libvirt/src/nwfilter/nwfilter_ebiptables_driver.c:2891:
unchecked_value: No check of the return value of "virAsprintf(&protostr,
"-d 01:80:c2:00:00:00 ")".
/libvirt/src/nwfilter/nwfilter_ebiptables_driver.c:2894:
unchecked_value: No check of the return value of "virAsprintf(&protostr,
"-p 0x%04x ", l3_protocols[protoidx].attr)".
/libvirt/src/nwfilter/nwfilter_ebiptables_driver.c:3590:
var_deref_op: Dereferencing null variable "inst".
---
src/conf/nwfilter_params.c | 5 ++++-
src/nwfilter/nwfilter_ebiptables_driver.c | 10 +++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_params.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_params.c
+++ libvirt-acl/src/conf/nwfilter_params.c
@@ -154,6 +154,9 @@ virNWFilterVarValueGetNthValue(virNWFilt
{
const char *res = NULL;
+ if (!val)
+ return NULL;
+
switch (val->valType) {
case NWFILTER_VALUE_TYPE_SIMPLE:
if (idx == 0)
@@ -467,7 +470,7 @@ virNWFilterVarCombIterCreate(virNWFilter
res->nIter++;
break;
case VIR_NWFILTER_VAR_ACCESS_LAST:
- break;
+ goto err_exit;
}
if (virNWFilterVarCombIterAddVariable(&res->iter[iterIndex],
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2878,6 +2878,7 @@ ebtablesCreateTmpSubChain(ebiptablesRule
char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP;
char *protostr = NULL;
+ int r = 0;
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname,
@@ -2888,14 +2889,14 @@ ebtablesCreateTmpSubChain(ebiptablesRule
protostr = strdup("");
break;
case L2_PROTO_STP_IDX:
- virAsprintf(&protostr, "-d " NWFILTER_MAC_BGA " ");
+ r = virAsprintf(&protostr, "-d " NWFILTER_MAC_BGA " ");
break;
default:
- virAsprintf(&protostr, "-p 0x%04x ", l3_protocols[protoidx].attr);
+ r = virAsprintf(&protostr, "-p 0x%04x ",
l3_protocols[protoidx].attr);
break;
}
- if (!protostr) {
+ if (!protostr || r < 0) {
virReportOOMError();
return -1;
}
@@ -3589,6 +3590,9 @@ ebiptablesApplyNewRules(const char *ifna
int nEbtChains = 0;
char *errmsg = NULL;
+ if (inst == NULL)
+ nruleInstances = 0;
+
if (!chains_in_set || !chains_out_set) {
virReportOOMError();
goto exit_free_sets;
12 years, 7 months
[libvirt] [PATCH v2 0/2] QEMU copyright update
by Andreas Färber
Hello,
For 1.0 I had brought up the issue that the copyright statement reads 2008.
Mentor Graphics have solved this for their Sourcery CodeBench fork by printing:
Copyright (c) 2003-2008 Fabrice Bellard, 2008-2011 Mentor Graphics
For the QEMU community it's less clear whom to assign the copyright to,
thus my proposal is the appendix "and contributors".
v2 applies this change to softmmus, linux-user and bsd-user (pointed out by PMM).
darwin-user is intentionally left out as there is a pending PULL for its removal.
Also included is a change to the bsd-user version banner.
CC'ing libvirt since it has been sensitive to changes there in the past.
Regards,
Andreas
Cc: Anthony Liguori <anthony(a)codemonkey.ws>
Cc: Fabrice Bellard <fabrice(a)bellard.org>
Cc: Peter Maydell <peter.maydell(a)linaro.org>
Cc: Natalia Portillo <claunia(a)claunia.com>
Cc: libvirt <libvir-list(a)redhat.com>
Andreas Färber (2):
Update copyright banners
bsd-user: Output package version
bsd-user/main.c | 3 ++-
linux-user/main.c | 2 +-
vl.c | 3 ++-
3 files changed, 5 insertions(+), 3 deletions(-)
--
1.7.7
12 years, 7 months
[libvirt] [PATCHv3 1/2] add parameter flags to D.get_cpu_stats()
by Hu Tao
---
examples/get_cpu_stats.ml | 2 +-
libvirt/libvirt.ml | 6 +++++-
libvirt/libvirt.mli | 6 +++++-
libvirt/libvirt_c_oneoffs.c | 21 +++++++++++++++++----
4 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/examples/get_cpu_stats.ml b/examples/get_cpu_stats.ml
index 79d5c3c..962a2a4 100644
--- a/examples/get_cpu_stats.ml
+++ b/examples/get_cpu_stats.ml
@@ -25,7 +25,7 @@ let () =
let stats =
let dom = D.lookup_by_name conn domname in
- D.get_cpu_stats dom nr_pcpus in
+ D.get_cpu_stats dom nr_pcpus [D.None;] in
Array.iteri (
fun n params ->
diff --git a/libvirt/libvirt.ml b/libvirt/libvirt.ml
index 53c5bb4..de303f7 100644
--- a/libvirt/libvirt.ml
+++ b/libvirt/libvirt.ml
@@ -348,6 +348,10 @@ struct
| TypedFieldFloat of float | TypedFieldBool of bool
| TypedFieldString of string
+ type get_cpu_stats_flags =
+ | None
+ | Vcpu
+
type migrate_flag = Live
type memory_flag = Virtual
@@ -417,7 +421,7 @@ struct
external set_vcpus : [>`W] t -> int -> unit = "ocaml_libvirt_domain_set_vcpus"
external pin_vcpu : [>`W] t -> int -> string -> unit = "ocaml_libvirt_domain_pin_vcpu"
external get_vcpus : [>`R] t -> int -> int -> int * vcpu_info array * string = "ocaml_libvirt_domain_get_vcpus"
- external get_cpu_stats : [>`R] t -> int -> typed_param list array = "ocaml_libvirt_domain_get_cpu_stats"
+ external get_cpu_stats : [>`R] t -> int -> get_cpu_stats_flags list -> typed_param list array = "ocaml_libvirt_domain_get_cpu_stats"
external get_max_vcpus : [>`R] t -> int = "ocaml_libvirt_domain_get_max_vcpus"
external attach_device : [>`W] t -> xml -> unit = "ocaml_libvirt_domain_attach_device"
external detach_device : [>`W] t -> xml -> unit = "ocaml_libvirt_domain_detach_device"
diff --git a/libvirt/libvirt.mli b/libvirt/libvirt.mli
index 0913a63..5a7e536 100644
--- a/libvirt/libvirt.mli
+++ b/libvirt/libvirt.mli
@@ -442,6 +442,10 @@ sig
| TypedFieldFloat of float | TypedFieldBool of bool
| TypedFieldString of string
+ type get_cpu_stats_flags =
+ | None
+ | Vcpu
+
type migrate_flag = Live
type memory_flag = Virtual
@@ -559,7 +563,7 @@ sig
for a domain. See the libvirt documentation for details
of the array and bitmap returned from this function.
*)
- val get_cpu_stats : [>`R] t -> int -> typed_param list array
+ val get_cpu_stats : [>`R] t -> int -> get_cpu_stats_flags list -> typed_param list array
(** [get_pcpu_stats dom nr_pcpu] returns the physical CPU stats
for a domain. See the libvirt documentation for details.
*)
diff --git a/libvirt/libvirt_c_oneoffs.c b/libvirt/libvirt_c_oneoffs.c
index 3d42b73..5d1e8b2 100644
--- a/libvirt/libvirt_c_oneoffs.c
+++ b/libvirt/libvirt_c_oneoffs.c
@@ -532,20 +532,33 @@ extern int virDomainGetCPUStats (virDomainPtr domain,
#endif
CAMLprim value
-ocaml_libvirt_domain_get_cpu_stats (value domv, value nr_pcpusv)
+ocaml_libvirt_domain_get_cpu_stats (value domv, value nr_pcpusv, value flagsv)
{
#ifdef HAVE_VIRDOMAINGETCPUSTATS
- CAMLparam2 (domv, nr_pcpusv);
+ CAMLparam3 (domv, nr_pcpusv, flagsv);
CAMLlocal5 (cpustats, param_head, param_node, typed_param, typed_param_value);
CAMLlocal1 (v);
virDomainPtr dom = Domain_val (domv);
virConnectPtr conn = Connect_domv (domv);
int nr_pcpus = Int_val (nr_pcpusv);
+ int flags = 0;
virTypedParameterPtr params;
int r, cpu, ncpus, nparams, i, j, pos;
+ /* Iterate over the list of flags. */
+ for (; flagsv != Val_int (0); flagsv = Field (flagsv, 1))
+ {
+ switch (Int_val(Field(flagsv, 0))) {
+ case 1: /* Vcpu */
+ flags |= VIR_DOMAIN_CPU_STATS_VCPU;
+ break;
+ default:
+ break;
+ }
+ }
+
/* get percpu information */
- NONBLOCKING (nparams = virDomainGetCPUStats(dom, NULL, 0, 0, 1, 0));
+ NONBLOCKING (nparams = virDomainGetCPUStats(dom, NULL, 0, 0, 1, flags));
CHECK_ERROR (nparams < 0, conn, "virDomainGetCPUStats");
if ((params = malloc(sizeof(*params) * nparams * 128)) == NULL)
@@ -556,7 +569,7 @@ ocaml_libvirt_domain_get_cpu_stats (value domv, value nr_pcpusv)
while (cpu < nr_pcpus) {
ncpus = nr_pcpus - cpu > 128 ? 128 : nr_pcpus - cpu;
- NONBLOCKING (r = virDomainGetCPUStats(dom, params, nparams, cpu, ncpus, 0));
+ NONBLOCKING (r = virDomainGetCPUStats(dom, params, nparams, cpu, ncpus, flags));
CHECK_ERROR (r < 0, conn, "virDomainGetCPUStats");
for (i = 0; i < ncpus; i++) {
--
1.7.1
12 years, 7 months
[libvirt] How to disconnect a NIC
by Hendrik Schwartke
Hi,
some time ago I wrote I patch to change the source bridge of a running
domain. Now I'm wondering what's the best way to disconnect a NIC.
My first thought was to set virDomainNetDef.data.bridge.brname to NULL.
There are quite some places in the code that had to be modified to
support this, but that should be doable.
Another idea is to create a new interface type 'disconnected'. The
purpose of this type would be specifying NICs (whose link state is
either up or down) without any network connectivity. The type of this
interface had to be changeable while the domain is running.
Any thoughts would greatly appreciated.
Hendrik Schwartke
12 years, 7 months
[libvirt] Files too long for tar archive
by Cole Robinson
In building the libvirt-0.9.11.2 stable tarball, I saw these errors:
tar:
libvirt-0.9.11.2/tests/nodeinfodata/linux-nodeinfo-sysfs-test-1/cpu/cpu0/topology/thread_siblings_list:
file name is too long (max 99); not dumped
tar:
libvirt-0.9.11.2/tests/nodeinfodata/linux-nodeinfo-sysfs-test-1/cpu/cpu0/topology/physical_package_id:
file name is too long (max 99); not dumped
tar:
libvirt-0.9.11.2/tests/nodeinfodata/linux-nodeinfo-sysfs-test-1/cpu/cpu1/topology/thread_siblings_list:
file name is too long (max 99); not dumped
tar:
libvirt-0.9.11.2/tests/nodeinfodata/linux-nodeinfo-sysfs-test-1/cpu/cpu1/topology/physical_package_id:
file name is too long (max 99); not dumped
tar: Exiting with failure status due to previous errors
As indicated the files were not in the tarball.
Can we just update the tar format in configure or does that come with caveats?
Thanks,
Cole
12 years, 7 months
[libvirt] udevadm settle can take too long
by Jim Paris
Hi,
http://bugs.debian.org/663931 is a bug I'm hitting, where virt-manager
times out on the initial connection to libvirt.
The basic problem is that, while checking storage volumes,
virt-manager causes libvirt to call "udevadm settle". There's an
interaction where libvirt's earlier use of network namespaces (to probe
LXC features) had caused some uevents to be sent that get filtered out
before they reach udev. This confuses "udevadm settle" a bit, and so
it sits there waiting for a 2-3 minute built-in timeout before returning.
Eventually libvirtd prints:
2012-04-22 18:22:18.678+0000: 30503: warning : virKeepAliveTimer:182 : No response from client 0x7feec4003630 after 5 keepalive messages in 30 seconds
and virt-manager prints:
2012-04-22 18:22:18.931+0000: 30647: warning : virKeepAliveSend:128 : Failed to send keepalive response to client 0x25004e0
and the connection gets dropped.
One workaround could be to specify a shorter timeout when doing the
settle. The patch appended below allows virt-manager to work,
although the connection still has to wait for the 10 second timeout
before it succeeds. I don't know what a better solution would be,
though. It seems the udevadm behavior might not be considered a bug
from the udev/kernel point of view:
https://lkml.org/lkml/2012/4/22/60
I'm using Linux 3.2.14 with libvirt 0.9.11. You can trigger the
udevadm issue using a program I posted at the Debian bug report link
above.
-jim
>From 17e5b9ebab76acb0d711e8bc308023372fbc4180 Mon Sep 17 00:00:00 2001
From: Jim Paris <jim(a)jtan.com>
Date: Sun, 22 Apr 2012 14:35:47 -0400
Subject: [PATCH] shorten udevadmin settle timeout
Otherwise, udevadmin settle can take so long that connections from
e.g. virt-manager will get closed.
---
src/util/util.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/util/util.c b/src/util/util.c
index 6e041d6..dfe458e 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -2593,9 +2593,9 @@ virFileFindMountPoint(const char *type ATTRIBUTE_UNUSED)
void virFileWaitForDevices(void)
{
# ifdef UDEVADM
- const char *const settleprog[] = { UDEVADM, "settle", NULL };
+ const char *const settleprog[] = { UDEVADM, "settle", "--timeout", "10", NULL };
# else
- const char *const settleprog[] = { UDEVSETTLE, NULL };
+ const char *const settleprog[] = { UDEVSETTLE, "--timeout", "10", NULL };
# endif
int exitstatus;
--
1.7.7
12 years, 7 months
[libvirt] [PATCH] qemu: improve errors related to offline domains
by Eric Blake
https://bugzilla.redhat.com/show_bug.cgi?id=816662 pointed out
that attempting 'virsh blockpull' on an offline domain gave a
misleading error message about qemu lacking support for the
operation, even when qemu was specifically updated to support it.
The real problem is that we have several capabilities that are
only determined when starting a domain, and therefore are still
clear when first working with an inactive domain (namely, any
capability set by qemuMonitorJSONCheckCommands).
While this patch was able to hoist an existing check in one of the
three culprits, it had to add redundant checks in the other two
places (because you always have to check for an active domain after
obtaining a VM job lock, but the capability bits were being checked
prior to obtaining the job lock).
Someday it would be nice to patch libvirt to cache the set of
capabilities per qemu binary (as determined by inode and timestamp),
rather than re-probing the binary every time a domain is started,
and to teach the cache how to query the monitor during the one
time the probe is made rather than having to wait until a guest
is started; then, a capability probe would succeed even for offline
guests because it just refers to the cache, and the single check for
an active domain after grabbing the job lock would be sufficient.
But since that will involve a lot more coding, I'm happy to go
with this simpler solution for an immediate solution.
* src/qemu/qemu_driver.c (qemuDomainPMSuspendForDuration)
(qemuDomainSnapshotCreateXML, qemuDomainBlockJobImpl): Check for
offline state before checking an online-only cap.
---
src/qemu/qemu_driver.c | 24 ++++++++++++++++++------
1 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index d3aa34d..3a1c1c4 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -10389,6 +10389,12 @@ qemuDomainSnapshotCreateXML(virDomainPtr domain,
goto cleanup;
if (flags & VIR_DOMAIN_SNAPSHOT_CREATE_DISK_ONLY) {
+ if (!virDomainObjIsActive(vm)) {
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("disk snapshots of inactive domains not "
+ "implemented yet"));
+ goto cleanup;
+ }
if (virDomainSnapshotAlignDisks(def,
VIR_DOMAIN_DISK_SNAPSHOT_EXTERNAL,
false) < 0)
@@ -10443,12 +10449,6 @@ qemuDomainSnapshotCreateXML(virDomainPtr domain,
* makes sense, such as checking that qemu-img recognizes the
* snapshot name in at least one of the domain's disks? */
} else if (flags & VIR_DOMAIN_SNAPSHOT_CREATE_DISK_ONLY) {
- if (!virDomainObjIsActive(vm)) {
- qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("disk snapshots of inactive domains not "
- "implemented yet"));
- goto cleanup;
- }
if (qemuDomainSnapshotCreateDiskActive(domain->conn, driver,
&vm, snap, flags) < 0)
goto cleanup;
@@ -11642,6 +11642,12 @@ qemuDomainBlockJobImpl(virDomainPtr dom, const char *path, const char *base,
_("no domain with matching uuid '%s'"), uuidstr);
goto cleanup;
}
+ if (!virDomainObjIsActive(vm)) {
+ qemuReportError(VIR_ERR_OPERATION_INVALID, "%s",
+ _("domain is not running"));
+ goto endjob;
+ }
+
priv = vm->privateData;
if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_BLOCKJOB_ASYNC)) {
async = true;
@@ -12637,6 +12643,12 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
priv = vm->privateData;
+ if (!virDomainObjIsActive(vm)) {
+ qemuReportError(VIR_ERR_OPERATION_INVALID,
+ "%s", _("domain is not running"));
+ goto endjob;
+ }
+
if (!qemuCapsGet(priv->qemuCaps, QEMU_CAPS_WAKEUP) &&
(target == VIR_NODE_SUSPEND_TARGET_MEM ||
target == VIR_NODE_SUSPEND_TARGET_HYBRID)) {
--
1.7.7.6
12 years, 7 months
[libvirt] [PATCH] macvtap: fix a typo
by Stefan Berger
Below patch fixes the following coverity findings
Error: OVERRUN_STATIC:
/libvirt/src/qemu/qemu_command.c:152:
overrun-buffer-val: Overrunning static array "net->mac" of size 6 bytes
by passing it as an argument to a function which indexes it at byte
position 15.
/libvirt/src/util/virnetdevmacvlan.c:948:
access_dbuff_const: Calling
"virNetDevMacVLanVPortProfileRegisterCallback" indexes array
"macaddress" at byte position 15.
/libvirt/src/util/virnetdevmacvlan.c:773:
access_dbuff_const: Calling "memcpy" indexes array "macaddress" with
index "16UL" at byte position 15.
Error: OVERRUN_STATIC:
/libvirt/src/qemu/qemu_migration.c:2744:
overrun-buffer-val: Overrunning static array "net->mac" of size 6 bytes
by passing it as an argument to a function which indexes it at byte
position 15.
/libvirt/src/util/virnetdevmacvlan.c:773:
access_dbuff_const: Calling "memcpy" indexes array "macaddress" with
index "16UL" at byte position 15.
Error: OVERRUN_STATIC:
/libvirt/src/qemu/qemu_driver.c:435:
overrun-buffer-val: Overrunning static array "net->mac" of size 6 bytes
by passing it as an argument to a function which indexes it at byte
position 15.
/libvirt/src/util/virnetdevmacvlan.c:1036:
access_dbuff_const: Calling
"virNetDevMacVLanVPortProfileRegisterCallback" indexes array
"macaddress" at byte position 15.
/libvirt/src/util/virnetdevmacvlan.c:773:
access_dbuff_const: Calling "memcpy" indexes array "macaddress" with
index "16UL" at byte position 15.
---
src/util/virnetdevmacvlan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: libvirt-acl/src/util/virnetdevmacvlan.c
===================================================================
--- libvirt-acl.orig/src/util/virnetdevmacvlan.c
+++ libvirt-acl/src/util/virnetdevmacvlan.c
@@ -435,7 +435,7 @@ static const uint32_t modeMap[VIR_NETDEV
struct virNetlinkCallbackData {
char *cr_ifname;
virNetDevVPortProfilePtr virtPortProfile;
- unsigned char macaddress[VIR_UUID_BUFLEN];
+ unsigned char macaddress[VIR_MAC_BUFLEN];
char *linkdev;
int vf;
unsigned char vmuuid[VIR_UUID_BUFLEN];
12 years, 7 months
[libvirt] [PATCH 1/2] [TCK] nwfilter: Adapt test program and cases to recent iptables
by Stefan Berger
Recent iptables fixes a lot of issues with missing spaces and
other information that was previously not reported properly. To make
the test program and test cases work on old and newer installations
of iptables tools, some adjustments need to be made.
Fix a 'file not found error' when running this tool from the shell
directly.
---
scripts/nwfilter/nwfilter2vmtest.sh | 6 +++---
scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall | 12 ++++++------
2 files changed, 9 insertions(+), 9 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh
+++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
@@ -9,7 +9,7 @@ VIRSH=virsh
# For each line starting with uri=, remove the prefix and set the hold
# space to the rest of the line. Then at file end, print the hold
# space, which is effectively the last uri= line encountered.
-uri=$(sed -n '/^uri[ ]*=[ ]*/ {
+[ -r "$LIBVIRT_TCK_CONFIG" ] && uri=$(sed -n '/^uri[ ]*=[ ]*/ {
s///
h
}
@@ -147,12 +147,12 @@ checkExpectedOutput() {
break
fi
- diff ${tmpfile} ${tmpfile2} >/dev/null
+ diff -w ${tmpfile} ${tmpfile2} >/dev/null
if [ $? -ne 0 ]; then
if [ $(($flags & $FLAG_VERBOSE)) -ne 0 ]; then
echo "FAIL ${xmlfile} : ${cmd}"
- diff ${tmpfile} ${tmpfile2}
+ diff -w ${tmpfile} ${tmpfile2}
fi
failctr=$(($failctr + 1))
if [ $(($flags & $FLAG_WAIT)) -ne 0 ]; then
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
@@ -1,18 +1,18 @@
-#iptables -L FI-vnet0 -n
+#iptables -L FI-vnet0 -n | sed 's|#conn/|#conn src/|'
Chain FI-vnet0 (1 references)
target prot opt source destination
-DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1
-DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 1
+DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 2
RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY
#iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL
-#iptables -L HI-vnet0 -n
+#iptables -L HI-vnet0 -n | sed 's|#conn/|#conn src/|'
Chain HI-vnet0 (1 references)
target prot opt source destination
-DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1
-DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 1
+DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn src/32 > 2
RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY
#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
12 years, 7 months
