Don't use state-matching in a drop rule.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1380,13 +1380,16 @@ _iptablesCreateRuleInstance(int directio
return 0;
}
- if (match)
- virBufferVSprintf(&buf, " %s", match);
-
if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
target = accept_target;
- else
+ else {
target = "DROP";
+ match = NULL;
+ }
+
+ if (match)
+ virBufferVSprintf(&buf, " %s", match);
+
virBufferVSprintf(&buf,
" -j %s" CMD_DEF_POST CMD_SEPARATOR
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list