From b7909d32766edf8edb3ded8a8b0fb148767bbec3 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Fri, 28 Mar 2008 01:05:08 +0000
Subject: [PATCH] Tweak masquering rules to only capture traffic leaving the
 virtual network

---
 ChangeLog      | 6 ++++++
 src/iptables.c | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index b58c3f79ce..379a0930d1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Thu Mar 27 20:59:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com>
+
+	* src/iptables.c: Ensure masquering rule only catches traffic
+	leaving the virtual network, and not traffic inside it
+	(patch from Charles Duffy)
+
 Thu Mar 27 14:36:56 CET 2008 Jim Meyering <meyering@redhat.com>
 
 	lxcError: mark a string and add to the list of nearly-checked functions
diff --git a/src/iptables.c b/src/iptables.c
index 272ecb4a6a..6390e49c6b 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -1032,6 +1032,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--out-interface", physdev,
                                      "--jump", "MASQUERADE",
                                      NULL);
@@ -1039,6 +1040,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--jump", "MASQUERADE",
                                      NULL);
     }