Avoid the enforcement of direction if
- icmp rules specify the type/code information
- the 'skipMatch' variable is set to 'true'
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1159,6 +1159,7 @@ _iptablesCreateRuleInstance(int directio
bool srcMacSkipped = false;
bool skipRule = false;
bool skipMatch = false;
+ bool hasICMPType = false;
if (!iptables_cmd) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1399,6 +1400,8 @@ _iptablesCreateRuleInstance(int directio
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
const char *parm;
+ hasICMPType = true;
+
if (maySkipICMP)
goto exit_no_error;
@@ -1507,7 +1510,7 @@ _iptablesCreateRuleInstance(int directio
if (match && !skipMatch)
virBufferVSprintf(&buf, " %s", match);
- if (defMatch && match != NULL)
+ if (defMatch && match != NULL && !skipMatch && !hasICMPType)
iptablesEnforceDirection(directionIn,
rule,
&buf);
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list