The previous patch to add routed networking broke the removal of one of the FORWARD rules at shutdown. It was adding /sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/255.255.255.0 --out-interface virbr0 --match state --state ESTABLISHED,RELATED --jump ACCEPT But trying to remove /sbin/iptables --table filter --delete FORWARD --destination 192.168.122.0/255.255.255.0 --out-interface virbr0 --jump ACCEPT which wasn't matching on the state flags. This patch makes it use the correct removal code Dan. Index: src/qemu_driver.c =================================================================== RCS file: /data/cvs/libvirt/src/qemu_driver.c,v retrieving revision 1.76 diff -u -r1.76 qemu_driver.c --- src/qemu_driver.c 16 May 2008 16:51:30 -0000 1.76 +++ src/qemu_driver.c 20 May 2008 20:41:03 -0000 @@ -1209,12 +1213,20 @@ struct qemud_network *network) { if (network->def->forward) { iptablesRemoveForwardMasquerade(driver->iptables, - network->def->network, - network->def->forwardDev); - iptablesRemoveForwardAllowIn(driver->iptables, - network->def->network, - network->bridge, - network->def->forwardDev); + network->def->network, + network->def->forwardDev); + + if (network->def->forwardMode == QEMUD_NET_FORWARD_NAT) + iptablesRemoveForwardAllowRelatedIn(driver->iptables, + network->def->network, + network->bridge, + network->def->forwardDev); + else if (network->def->forwardMode == QEMUD_NET_FORWARD_ROUTE) + iptablesRemoveForwardAllowIn(driver->iptables, + network->def->network, + network->bridge, + network->def->forwardDev); + iptablesRemoveForwardAllowOut(driver->iptables, network->def->network, network->bridge, -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|