[Libvir] A whole tonne of networking fixes / enhancements

Mark McLoughlin markmc at redhat.com
Wed Mar 21 10:41:07 UTC 2007


Hi Dan,

On Tue, 2007-03-13 at 04:28 +0000, Daniel P. Berrange wrote:
>  static int
>  iptablesPhysdevForward(iptablesContext *ctx,
>                         const char *iface,
> +                       const char *target,
>                         int action)
>  {
> -    return iptablesAddRemoveRule(ctx->forward_filter,
> -                                 action,
> -                                 "--match", "physdev",
> -                                 "--physdev-in", iface,
> -                                 "--jump", "ACCEPT",
> -                                 NULL);
> +    if (target && target[0]) {
> +        return iptablesAddRemoveRule(ctx->forward_filter,
> +                                     action,
> +                                     "--match", "physdev",
> +                                     "--physdev-in", iface,
> +                                     "--out", target,
> +                                     "--jump", "ACCEPT",
> +                                     NULL);
> +    } else {
> +        return iptablesAddRemoveRule(ctx->forward_filter,
> +                                     action,
> +                                     "--match", "physdev",
> +                                     "--physdev-in", iface,
> +                                     "--jump", "ACCEPT",
> +                                     NULL);
> +    }
>  }

	This bit looks wrong to me. The rule is intended to allow frames from
the given bridge port to be forwarded across the bridge. AFAIK --out
would match against the outgoing bridge port in this case. Certainly the
interface which we wish to allow IP forwarding to isn't relevant to this
rule.

Cheers,
Mark.




More information about the libvir-list mailing list