mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-13 11:15:08 +00:00
nwfilter: avoid dir. enforcement for certain types of rules
Avoid the enforcement of direction if - icmp rules specify the type/code information - the 'skipMatch' variable is set to 'true'
This commit is contained in:
parent
956e3c5890
commit
c2fbdf1088
@ -1159,6 +1159,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
bool srcMacSkipped = false;
|
bool srcMacSkipped = false;
|
||||||
bool skipRule = false;
|
bool skipRule = false;
|
||||||
bool skipMatch = false;
|
bool skipMatch = false;
|
||||||
|
bool hasICMPType = false;
|
||||||
|
|
||||||
if (!iptables_cmd) {
|
if (!iptables_cmd) {
|
||||||
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
|
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
@ -1399,6 +1400,8 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
|
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
|
||||||
const char *parm;
|
const char *parm;
|
||||||
|
|
||||||
|
hasICMPType = true;
|
||||||
|
|
||||||
if (maySkipICMP)
|
if (maySkipICMP)
|
||||||
goto exit_no_error;
|
goto exit_no_error;
|
||||||
|
|
||||||
@ -1507,7 +1510,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
if (match && !skipMatch)
|
if (match && !skipMatch)
|
||||||
virBufferVSprintf(&buf, " %s", match);
|
virBufferVSprintf(&buf, " %s", match);
|
||||||
|
|
||||||
if (defMatch && match != NULL)
|
if (defMatch && match != NULL && !skipMatch && !hasICMPType)
|
||||||
iptablesEnforceDirection(directionIn,
|
iptablesEnforceDirection(directionIn,
|
||||||
rule,
|
rule,
|
||||||
&buf);
|
&buf);
|
||||||
|
Loading…
Reference in New Issue
Block a user