External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-04 05:15:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

nwfilter: use match target on incoming traffic

Browse Source 
The following patch enables the iptables match target to be used by
default for incoming traffic. So far it has only be used for outgoing
traffic.
This commit is contained in:
Stefan Berger 2010-06-17 07:15:20 -04:00
parent 045a5722ab
commit 2dce970162
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -1488,18 +1488,25 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
char chainPrefix[2]; char chainPrefix[2];
int needState = 1; int needState = 1;
bool maySkipICMP, inout = false; bool maySkipICMP, inout = false;
const char *matchState;
if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) || if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
(rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) { (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) {
directionIn = 1; directionIn = 1;
needState = 0;
inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT); inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT);
if (inout)
needState = 0;
} }
chainPrefix[0] = 'F'; chainPrefix[0] = 'F';
maySkipICMP = directionIn || inout; maySkipICMP = directionIn || inout;
if (needState)
matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
else
matchState = NULL;
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
@ -1508,8 +1515,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
ifname, ifname,
vars, vars,
res, res,
needState ? MATCH_STATE_OUT matchState,
: NULL,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP);
@ -1518,6 +1524,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
maySkipICMP = !directionIn || inout; maySkipICMP = !directionIn || inout;
if (needState)
matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN;
else
matchState = NULL;
chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
rc = _iptablesCreateRuleInstance(!directionIn, rc = _iptablesCreateRuleInstance(!directionIn,
@ -1527,8 +1537,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
ifname, ifname,
vars, vars,
res, res,
needState ? MATCH_STATE_IN matchState,
: NULL,
"ACCEPT", "ACCEPT",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP);