[libvirt] [PATCH] nwfilter: use match target on incoming traffic

The following patch enables the iptables match target to be used by default for incoming traffic. So far it has only be used for outgoing traffic. Signed-off-by: Stefan Berger --- src/nwfilter/nwfilter_ebiptables_driver.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1488,18 +1488,25 @@ iptablesCreateRuleInstance(virNWFilterDe char chainPrefix[2]; int needState = 1; bool maySkipICMP, inout = false; + const char *matchState; if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) || (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) { directionIn = 1; - needState = 0; inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT); + if (inout) + needState = 0; } chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; + if (needState) + matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT; + else + matchState = NULL; + chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; rc = _iptablesCreateRuleInstance(directionIn, chainPrefix, @@ -1508,8 +1515,7 @@ iptablesCreateRuleInstance(virNWFilterDe ifname, vars, res, - needState ? MATCH_STATE_OUT - : NULL, + matchState, "RETURN", isIPv6, maySkipICMP); @@ -1518,6 +1524,10 @@ iptablesCreateRuleInstance(virNWFilterDe maySkipICMP = !directionIn || inout; + if (needState) + matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN; + else + matchState = NULL; chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP; rc = _iptablesCreateRuleInstance(!directionIn, @@ -1527,8 +1537,7 @@ iptablesCreateRuleInstance(virNWFilterDe ifname, vars, res, - needState ? MATCH_STATE_IN - : NULL, + matchState, "ACCEPT", isIPv6, maySkipICMP);