Eric Blake <eblake@redhat.com> wrote on 04/06/2010 10:30:16 AM:
On 04/05/2010 07:27 PM, Stefan Berger wrote:
The following rule in direction 'inout'
<rule direction='inout' action='drop'> <mac srcmacaddr='1:2:3:4:5:6'/> </rule>
now drops all traffic from and to the given MAC address. So far it would have dropped traffic from the given MAC address and outgoing traffic with the given MAC address, which is not useful since the packets will always have the VM's MAC address as source MAC address.
Agreed that a bi-directional filter is morally equivalent to filtering src on input and dst on output.
@@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre goto err_exit;
virBufferVSprintf(&buf, - " --ip6-source-port %s %s", + " %s %s %s", + (!reverse) ? "--ip6-source-port" : "-- ip6-destination-port",
Avoid negative logic; this would be better as:
reverse ? "--ip6-destination-port" : "--ip6-source-port"
Yes, fixed this everywhere in the meantime...
@@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP rule, ifname, vars, - res); + res, + 0);
s/0/false/, to match the prototype being bool.
ACK, with those tweaks.
Will do and push. Thanks. Stefan
-- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
[attachment "signature.asc" deleted by Stefan Berger/Watson/IBM]