On Fri, Apr 16, 2010 at 06:33:50AM -0400, Stefan Berger wrote:
> Don't use state-matching in a drop rule.
>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
>
> Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> ===================================================================
> --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -1380,13 +1380,16 @@ _iptablesCreateRuleInstance(int directio
> return 0;
> }
>
> - if (match)
> - virBufferVSprintf(&buf, " %s", match);
> -
> if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
> target = accept_target;
> - else
> + else {
> target = "DROP";
> + match = NULL;
> + }
> +
> + if (match)
> + virBufferVSprintf(&buf, " %s", match);
> +
>
> virBufferVSprintf(&buf,
> " -j %s" CMD_DEF_POST CMD_SEPARATOR
>
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list