[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] nwfilter: Fix instantiated layer 2 rules for 'inout' direction



On 04/05/2010 07:27 PM, Stefan Berger wrote:
> The following rule in direction 'inout'
> 
> <rule direction='inout' action='drop'>
>   <mac srcmacaddr='1:2:3:4:5:6'/>
> </rule>
> 
> now drops all traffic from and to the given MAC address.
> So far it would have dropped traffic from the given MAC address
> and outgoing traffic with the given MAC address, which is not useful
> since the packets will always have the VM's MAC address as source
> MAC address.

Agreed that a bi-directional filter is morally equivalent to filtering
src on input and dst on output.

> @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre
>                  goto err_exit;
>  
>              virBufferVSprintf(&buf,
> -                          " --ip6-source-port %s %s",
> +                          " %s %s %s",
> +                          (!reverse) ? "--ip6-source-port" : "--ip6-destination-port",

Avoid negative logic; this would be better as:

reverse ? "--ip6-destination-port" : "--ip6-source-port"

> @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP
>                                              rule,
>                                              ifname,
>                                              vars,
> -                                            res);
> +                                            res,
> +                                            0);

s/0/false/, to match the prototype being bool.

ACK, with those tweaks.

-- 
Eric Blake   eblake redhat com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]