On 04/05/2010 07:27 PM, Stefan Berger wrote: > The following rule in direction 'inout' > > <rule direction='inout' action='drop'> > <mac srcmacaddr='1:2:3:4:5:6'/> > </rule> > > now drops all traffic from and to the given MAC address. > So far it would have dropped traffic from the given MAC address > and outgoing traffic with the given MAC address, which is not useful > since the packets will always have the VM's MAC address as source > MAC address. Agreed that a bi-directional filter is morally equivalent to filtering src on input and dst on output. > @@ -1783,7 +1802,8 @@ ebtablesCreateRuleInstance(char chainPre > goto err_exit; > > virBufferVSprintf(&buf, > - " --ip6-source-port %s %s", > + " %s %s %s", > + (!reverse) ? "--ip6-source-port" : "--ip6-destination-port", Avoid negative logic; this would be better as: reverse ? "--ip6-destination-port" : "--ip6-source-port" > @@ -1912,7 +1934,8 @@ ebiptablesCreateRuleInstance(virConnectP > rule, > ifname, > vars, > - res); > + res, > + 0); s/0/false/, to match the prototype being bool. ACK, with those tweaks. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list