Avoid the enforcement of direction if - icmp rules specify the type/code information - the 'skipMatch' variable is set to 'true' Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1159,6 +1159,7 @@ _iptablesCreateRuleInstance(int directio bool srcMacSkipped = false; bool skipRule = false; bool skipMatch = false; + bool hasICMPType = false; if (!iptables_cmd) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -1399,6 +1400,8 @@ _iptablesCreateRuleInstance(int directio if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) { const char *parm; + hasICMPType = true; + if (maySkipICMP) goto exit_no_error; @@ -1507,7 +1510,7 @@ _iptablesCreateRuleInstance(int directio if (match && !skipMatch) virBufferVSprintf(&buf, " %s", match); - if (defMatch && match != NULL) + if (defMatch && match != NULL && !skipMatch && !hasICMPType) iptablesEnforceDirection(directionIn, rule, &buf);