On Tue, Apr 06, 2010 at 03:55:26PM -0400, Stefan Berger wrote: > The attached patch fixes a problem due to the mac match in iptables only > supporting --mac-source and no --mac-destination, thus it not being > symmetric. Therefore a rule like this one > > <rule action='drop' direction='out'> > <all match='no' srcmacaddr='$MAC'/> > </rule> > > should only have the MAC match on traffic leaving the VM and not test > for the same source MAC address on traffic that the VM receives. > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> > Okay, I had to check _iptablesCreateRuleInstance() source to find out it's a giant switch, then patch makes sense, looks low risk and well contained, ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list