Re: [libvirt] [PATCH] nwfilter: Fix instantiated layer 2 rules for 'inout' direction

On 04/05/2010 07:27 PM, Stefan Berger wrote: > The following rule in direction 'inout' > > <rule direction='inout' action='drop'> > <mac srcmacaddr='1:2:3:4:5:6'/> > </rule> > > now drops all traffic from and to the given MAC address. > So far it would have dropped traffic from the given MAC address > and outgoing traffic with the given MAC address, which is not useful > since the packets will always have the VM's MAC address as source > MAC address. Agreed that a bi-directional filter is morally equivalent to filtering src on input and dst on output. > @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre > goto err_exit; > > virBufferVSprintf(&buf, > - " --ip6-source-port %s %s", > + " %s %s %s", > + (!reverse) ? "--ip6-source-port" : "-- ip6-destination-port", Avoid negative logic; this would be better as: reverse ? "--ip6-destination-port" : "--ip6-source-port"

> @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP > rule, > ifname, > vars, > - res); > + res, > + 0); s/0/false/, to match the prototype being bool. ACK, with those tweaks.

-- Eric Blake eblake(a)redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org [attachment "signature.asc" deleted by Stefan Berger/Watson/IBM]