Hi Dan,
On Tue, 2007-03-13 at 04:28 +0000, Daniel P. Berrange wrote:
> static int
> iptablesPhysdevForward(iptablesContext *ctx,
> const char *iface,
> + const char *target,
> int action)
> {
> - return iptablesAddRemoveRule(ctx->forward_filter,
> - action,
> - "--match", "physdev",
> - "--physdev-in", iface,
> - "--jump", "ACCEPT",
> - NULL);
> + if (target && target[0]) {
> + return iptablesAddRemoveRule(ctx->forward_filter,
> + action,
> + "--match", "physdev",
> + "--physdev-in", iface,
> + "--out", target,
> + "--jump", "ACCEPT",
> + NULL);
> + } else {
> + return iptablesAddRemoveRule(ctx->forward_filter,
> + action,
> + "--match", "physdev",
> + "--physdev-in", iface,
> + "--jump", "ACCEPT",
> + NULL);
> + }
> }
This bit looks wrong to me. The rule is intended to allow frames from
the given bridge port to be forwarded across the bridge. AFAIK --out
would match against the outgoing bridge port in this case. Certainly the
interface which we wish to allow IP forwarding to isn't relevant to this
rule.
Cheers,
Mark.