Re: [libvirt] [PATCH] nwfiler: fix due to non-symmetric src mac address match in iptables
Daniel Veillard <veillard(a)redhat.com> wrote on 04/07/2010 03:55:19 AM:
On Tue, Apr 06, 2010 at 03:55:26PM -0400, Stefan Berger wrote:
> The attached patch fixes a problem due to the mac match in iptables
only
> supporting --mac-source and no --mac-destination, thus it not
being
> symmetric. Therefore a rule like this one
>
> <rule action='drop' direction='out'>
> <all match='no' srcmacaddr='$MAC'/>
> </rule>
>
> should only have the MAC match on traffic leaving the VM and not test
> for the same source MAC address on traffic that the VM receives.
>
> Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
>
Okay, I had to check _iptablesCreateRuleInstance() source to find out
it's a giant switch, then patch makes sense, looks low risk and well
contained,
ACK,
Thanks. Pushed.
Stefan
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit
http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
Attachments:
- attachment.html (text/html — 1.9 KB)