openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

nwfilter: changes to rules in VM->host table 

In the table built for traffic coming from the VM going to the host make the following changes:

- don't ACCEPT the packets but do a 'RETURN' and let the host-specific firewall rules in subsequent rules evaluate whether the traffic is allowed to enter

- use the '-m state' in the rules as everywhere else
This commit is contained in:
Stefan Berger 2010-10-19 11:35:58 -04:00
parent 6dcd9c0d15
commit 7d79da247a
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -1790,6 +1790,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
return rc;
maySkipICMP = directionIn;
if (needState)
matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
else
matchState = NULL;
chainPrefix[0] = 'H';
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
@ -1800,8 +1804,8 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
ifname,
vars,
res,
NULL, true,
"ACCEPT",
matchState, true,
"RETURN",
isIPv6,
maySkipICMP);