Hi Dan, On Tue, 2007-03-13 at 04:28 +0000, Daniel P. Berrange wrote:
static int iptablesPhysdevForward(iptablesContext *ctx, const char *iface, + const char *target, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--match", "physdev", - "--physdev-in", iface, - "--jump", "ACCEPT", - NULL); + if (target && target[0]) { + return iptablesAddRemoveRule(ctx->forward_filter, + action, + "--match", "physdev", + "--physdev-in", iface, + "--out", target, + "--jump", "ACCEPT", + NULL); + } else { + return iptablesAddRemoveRule(ctx->forward_filter, + action, + "--match", "physdev", + "--physdev-in", iface, + "--jump", "ACCEPT", + NULL); + } }
This bit looks wrong to me. The rule is intended to allow frames from the given bridge port to be forwarded across the bridge. AFAIK --out would match against the outgoing bridge port in this case. Certainly the interface which we wish to allow IP forwarding to isn't relevant to this rule. Cheers, Mark.