[libvirt] PATCH: Fix removal of iptables FORWARD rules

Tuesday, 20 May 2008

The previous patch to add routed networking broke the removal of one of the
FORWARD rules at shutdown. It was adding

 /sbin/iptables --table filter --insert FORWARD 
    --destination 192.168.122.0/255.255.255.0 
    --out-interface virbr0 --match state 
    --state ESTABLISHED,RELATED --jump ACCEPT

But trying to remove

 /sbin/iptables --table filter --delete FORWARD
    --destination 192.168.122.0/255.255.255.0
    --out-interface virbr0 --jump ACCEPT

which wasn't matching on the state flags. This patch makes it use the correct
removal code

Dan.

Index: src/qemu_driver.c
===================================================================
RCS file: /data/cvs/libvirt/src/qemu_driver.c,v
retrieving revision 1.76
diff -u -r1.76 qemu_driver.c

--- src/qemu_driver.c	16 May 2008 16:51:30 -0000	1.76
+++ src/qemu_driver.c	20 May 2008 20:41:03 -0000
@@ -1209,12 +1213,20 @@
                          struct qemud_network *network) {
     if (network->def->forward) {
         iptablesRemoveForwardMasquerade(driver->iptables,
-                                     network->def->network,
-                                     network->def->forwardDev);
-        iptablesRemoveForwardAllowIn(driver->iptables,
-                                   network->def->network,
-                                   network->bridge,
-                                   network->def->forwardDev);
+                                        network->def->network,
+                                        network->def->forwardDev);
+
+        if (network->def->forwardMode == QEMUD_NET_FORWARD_NAT)
+            iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+                                                network->def->network,
+                                                network->bridge,
+                                                network->def->forwardDev);
+        else if (network->def->forwardMode == QEMUD_NET_FORWARD_ROUTE)
+            iptablesRemoveForwardAllowIn(driver->iptables,
+                                         network->def->network,
+                                         network->bridge,
+                                         network->def->forwardDev);
+
         iptablesRemoveForwardAllowOut(driver->iptables,
                                       network->def->network,
                                       network->bridge,

-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] PATCH: Fix removal of iptables FORWARD rules