Eric Blake <eblake@redhat.com> wrote on 04/06/2010 10:30:16 AM:


>
> On 04/05/2010 07:27 PM, Stefan Berger wrote:
> > The following rule in direction 'inout'
> >
> > <rule direction='inout' action='drop'>
> >   <mac srcmacaddr='1:2:3:4:5:6'/>
> > </rule>
> >
> > now drops all traffic from and to the given MAC address.
> > So far it would have dropped traffic from the given MAC address
> > and outgoing traffic with the given MAC address, which is not useful
> > since the packets will always have the VM's MAC address as source
> > MAC address.
>
> Agreed that a bi-directional filter is morally equivalent to filtering
> src on input and dst on output.
>
> > @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre
> >                  goto err_exit;
> >  
> >              virBufferVSprintf(&buf,
> > -                          " --ip6-source-port %s %s",
> > +                          " %s %s %s",
> > +                          (!reverse) ? "--ip6-source-port" : "--
> ip6-destination-port",
>
> Avoid negative logic; this would be better as:
>
> reverse ? "--ip6-destination-port" : "--ip6-source-port"
>
Yes, fixed this everywhere in the meantime...


> > @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP
> >                                              rule,
> >                                              ifname,
> >                                              vars,
> > -                                            res);
> > +                                            res,
> > +                                            0);
>
> s/0/false/, to match the prototype being bool.
>
> ACK, with those tweaks.

Will do and push.

  Thanks.

  Stefan

>
> --
> Eric Blake   eblake@redhat.com    +1-801-349-2682
> Libvirt virtualization library http://libvirt.org
>
> [attachment "signature.asc" deleted by Stefan Berger/Watson/IBM]