"Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote on 04/16/2010 07:09:12 AM:
> Please respond to "Daniel P. Berrange"
>
> On Fri, Apr 16, 2010 at 06:33:50AM -0400, Stefan Berger wrote:
> > Don't use state-matching in a drop rule.
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
> >
> > Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> > ===================================================================
> > --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
> > +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> > @@ -1380,13 +1380,16 @@ _iptablesCreateRuleInstance(int directio
> > return 0;
> > }
> >
> > - if (match)
> > - virBufferVSprintf(&buf, " %s", match);
> > -
> > if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
> > target = accept_target;
> > - else
> > + else {
> > target = "DROP";
> > + match = NULL;
> > + }
> > +
> > + if (match)
> > + virBufferVSprintf(&buf, " %s", match);
> > +
> >
> > virBufferVSprintf(&buf,
> > " -j %s" CMD_DEF_POST CMD_SEPARATOR
> >
>
> ACK
>
> Daniel
Pushed.
Stefan
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list