External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

nwfilter: changes to rules in VM->host table

Browse Source 
In the table built for traffic coming from the VM going to the host make the following changes:

- don't ACCEPT the packets but do a 'RETURN' and let the host-specific firewall rules in subsequent rules evaluate whether the traffic is allowed to enter

- use the '-m state' in the rules as everywhere else
This commit is contained in:
Stefan Berger 2010-10-19 11:35:58 -04:00
parent 6dcd9c0d15
commit 7d79da247a
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -1790,6 +1790,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
return rc; return rc;
maySkipICMP = directionIn; maySkipICMP = directionIn;
if (needState)
matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
else
matchState = NULL;
chainPrefix[0] = 'H'; chainPrefix[0] = 'H';
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
@ -1800,8 +1804,8 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
ifname, ifname,
vars, vars,
res, res,
NULL, true, matchState, true,
"ACCEPT", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP);