In the table built for traffic coming from the VM going to the host
make the following changes:
- don't ACCEPT the packets but do a 'RETURN' and let the host-specific
firewall rules in subsequent rules evaluate whether the traffic is
allowed to enter
- use the '-m state' in the rules as everywhere else
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1790,6 +1790,10 @@ iptablesCreateRuleInstance(virNWFilterDe
return rc;
maySkipICMP = directionIn;
+ if (needState)
+ matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
+ else
+ matchState = NULL;
chainPrefix[0] = 'H';
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
@@ -1800,8 +1804,8 @@ iptablesCreateRuleInstance(virNWFilterDe
ifname,
vars,
res,
- NULL, true,
- "ACCEPT",
+ matchState, true,
+ "RETURN",
isIPv6,
maySkipICMP);
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list