From c2fbdf1088cb5756f04afef8abd6a4b676771f80 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Tue, 19 Oct 2010 19:25:37 -0400 Subject: [PATCH] nwfilter: avoid dir. enforcement for certain types of rules Avoid the enforcement of direction if - icmp rules specify the type/code information - the 'skipMatch' variable is set to 'true' --- src/nwfilter/nwfilter_ebiptables_driver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 1115d15b67..3eb136894c 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1159,6 +1159,7 @@ _iptablesCreateRuleInstance(int directionIn, bool srcMacSkipped = false; bool skipRule = false; bool skipMatch = false; + bool hasICMPType = false; if (!iptables_cmd) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -1399,6 +1400,8 @@ _iptablesCreateRuleInstance(int directionIn, if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) { const char *parm; + hasICMPType = true; + if (maySkipICMP) goto exit_no_error; @@ -1507,7 +1510,7 @@ _iptablesCreateRuleInstance(int directionIn, if (match && !skipMatch) virBufferVSprintf(&buf, " %s", match); - if (defMatch && match != NULL) + if (defMatch && match != NULL && !skipMatch && !hasICMPType) iptablesEnforceDirection(directionIn, rule, &buf);