"Daniel P. Berrange" <berrange@redhat.com> wrote on 04/16/2010 07:09:12 AM:


> Please respond to "Daniel P. Berrange"
>
> On Fri, Apr 16, 2010 at 06:33:50AM -0400, Stefan Berger wrote:
> > Don't use state-matching in a drop rule.
> >
> > Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
> >
> > Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> > ===================================================================
> > --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
> > +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> > @@ -1380,13 +1380,16 @@ _iptablesCreateRuleInstance(int directio
> >          return 0;
> >      }
> >  
> > -    if (match)
> > -        virBufferVSprintf(&buf, " %s", match);
> > -
> >      if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
> >          target = accept_target;
> > -    else
> > +    else {
> >          target = "DROP";
> > +        match = NULL;
> > +    }
> > +
> > +    if (match)
> > +        virBufferVSprintf(&buf, " %s", match);
> > +
> >  
> >      virBufferVSprintf(&buf,
> >                        " -j %s" CMD_DEF_POST CMD_SEPARATOR
> >
>
> ACK
>
> Daniel

Pushed.

  Stefan