[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] A whole tonne of networking fixes / enhancements



Hi Dan,

On Tue, 2007-03-13 at 04:28 +0000, Daniel P. Berrange wrote:
>  static int
>  iptablesPhysdevForward(iptablesContext *ctx,
>                         const char *iface,
> +                       const char *target,
>                         int action)
>  {
> -    return iptablesAddRemoveRule(ctx->forward_filter,
> -                                 action,
> -                                 "--match", "physdev",
> -                                 "--physdev-in", iface,
> -                                 "--jump", "ACCEPT",
> -                                 NULL);
> +    if (target && target[0]) {
> +        return iptablesAddRemoveRule(ctx->forward_filter,
> +                                     action,
> +                                     "--match", "physdev",
> +                                     "--physdev-in", iface,
> +                                     "--out", target,
> +                                     "--jump", "ACCEPT",
> +                                     NULL);
> +    } else {
> +        return iptablesAddRemoveRule(ctx->forward_filter,
> +                                     action,
> +                                     "--match", "physdev",
> +                                     "--physdev-in", iface,
> +                                     "--jump", "ACCEPT",
> +                                     NULL);
> +    }
>  }

	This bit looks wrong to me. The rule is intended to allow frames from
the given bridge port to be forwarded across the bridge. AFAIK --out
would match against the outgoing bridge port in this case. Certainly the
interface which we wish to allow IP forwarding to isn't relevant to this
rule.

Cheers,
Mark.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]