Re: [Libvir] A whole tonne of networking fixes / enhancements
Hi Dan,
On Tue, 2007-03-13 at 04:28 +0000, Daniel P. Berrange wrote:
static int
iptablesPhysdevForward(iptablesContext *ctx,
const char *iface,
+ const char *target,
int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
- action,
- "--match", "physdev",
- "--physdev-in", iface,
- "--jump", "ACCEPT",
- NULL);
+ if (target && target[0]) {
+ return iptablesAddRemoveRule(ctx->forward_filter,
+ action,
+ "--match", "physdev",
+ "--physdev-in", iface,
+ "--out", target,
+ "--jump", "ACCEPT",
+ NULL);
+ } else {
+ return iptablesAddRemoveRule(ctx->forward_filter,
+ action,
+ "--match", "physdev",
+ "--physdev-in", iface,
+ "--jump", "ACCEPT",
+ NULL);
+ }
}
This bit looks wrong to me. The rule is intended to allow frames from
the given bridge port to be forwarded across the bridge. AFAIK --out
would match against the outgoing bridge port in this case. Certainly the
interface which we wish to allow IP forwarding to isn't relevant to this
rule.
Cheers,
Mark.