Re: [libvirt] [PATCH] nwfilter: Fix instantiated layer 2 rules for 'inout' direction
On 04/05/2010 07:27 PM, Stefan Berger wrote:
The following rule in direction 'inout'
<rule direction='inout' action='drop'>
<mac srcmacaddr='1:2:3:4:5:6'/>
</rule>
now drops all traffic from and to the given MAC address.
So far it would have dropped traffic from the given MAC address
and outgoing traffic with the given MAC address, which is not useful
since the packets will always have the VM's MAC address as source
MAC address.
Agreed that a bi-directional filter is morally equivalent to filtering
src on input and dst on output.
@@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre
goto err_exit;
virBufferVSprintf(&buf,
- " --ip6-source-port %s %s",
+ " %s %s %s",
+ (!reverse) ? "--ip6-source-port" :
"--ip6-destination-port",
Avoid negative logic; this would be better as:
reverse ? "--ip6-destination-port" : "--ip6-source-port"
@@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP
rule,
ifname,
vars,
- res);
+ res,
+ 0);
s/0/false/, to match the prototype being bool.
ACK, with those tweaks.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 323 bytes)