The previous patch to add routed networking broke the removal of one of the
FORWARD rules at shutdown. It was adding
/sbin/iptables --table filter --insert FORWARD
--destination 192.168.122.0/255.255.255.0
--out-interface virbr0 --match state
--state ESTABLISHED,RELATED --jump ACCEPT
But trying to remove
/sbin/iptables --table filter --delete FORWARD
--destination 192.168.122.0/255.255.255.0
--out-interface virbr0 --jump ACCEPT
which wasn't matching on the state flags. This patch makes it use the correct
removal code
Dan.
Index: src/qemu_driver.c
===================================================================
RCS file: /data/cvs/libvirt/src/qemu_driver.c,v
retrieving revision 1.76
diff -u -r1.76 qemu_driver.c
--- src/qemu_driver.c 16 May 2008 16:51:30 -0000 1.76
+++ src/qemu_driver.c 20 May 2008 20:41:03 -0000
@@ -1209,12 +1213,20 @@
struct qemud_network *network) {
if (network->def->forward) {
iptablesRemoveForwardMasquerade(driver->iptables,
- network->def->network,
- network->def->forwardDev);
- iptablesRemoveForwardAllowIn(driver->iptables,
- network->def->network,
- network->bridge,
- network->def->forwardDev);
+ network->def->network,
+ network->def->forwardDev);
+
+ if (network->def->forwardMode == QEMUD_NET_FORWARD_NAT)
+ iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+ network->def->network,
+ network->bridge,
+ network->def->forwardDev);
+ else if (network->def->forwardMode == QEMUD_NET_FORWARD_ROUTE)
+ iptablesRemoveForwardAllowIn(driver->iptables,
+ network->def->network,
+ network->bridge,
+ network->def->forwardDev);
+
iptablesRemoveForwardAllowOut(driver->iptables,
network->def->network,
network->bridge,
--
|: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list