Daniel Veillard <veillard@redhat.com> wrote on 04/07/2010 03:55:19 AM:
On Tue, Apr 06, 2010 at 03:55:26PM -0400, Stefan Berger wrote:
The attached patch fixes a problem due to the mac match in iptables only supporting --mac-source and no --mac-destination, thus it not being symmetric. Therefore a rule like this one
<rule action='drop' direction='out'> <all match='no' srcmacaddr='$MAC'/> </rule>
should only have the MAC match on traffic leaving the VM and not test for the same source MAC address on traffic that the VM receives.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Okay, I had to check _iptablesCreateRuleInstance() source to find out it's a giant switch, then patch makes sense, looks low risk and well contained,
ACK,
Thanks. Pushed. Stefan
Daniel
-- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/