Greetings folks,
I've patched the libvirt iptables interface to append it's REJECT
rules rather than insert at the head. Idea being that I'm not the only
person who usually puts the REJECTs at the end of a chain.
In my particular case any custom ACCEPT rules involving the bridge
interfaces would get pushed below the rules that libvirt puts in to
REJECT everything on the bridge interface.
I'm using the routed network mode, I have no idea if this hurts any
other network mode.
Thanks,
-Steve
--- iptables.c 2011-02-28 23:03:32.000000000 -0800
+++ iptables.c_new 2011-05-18 14:00:59.110855881 -0700
@@ -51,7 +51,8 @@
enum {
ADD = 0,
- REMOVE
+ REMOVE,
+ APPEND
};
typedef struct
@@ -111,7 +112,7 @@
? IP6TABLES_PATH : IPTABLES_PATH);
virCommandAddArgList(cmd, "--table", rules->table,
- action == ADD ? "--insert" : "--delete",
+ action == ADD ? "--insert" : action ==
REMOVE ? "--delete" : "--append",
rules->chain, arg, NULL);
va_start(args, arg);
@@ -666,7 +667,7 @@
int family,
const char *iface)
{
- return iptablesForwardRejectOut(ctx, family, iface, ADD);
+ return iptablesForwardRejectOut(ctx, family, iface, APPEND);
}
/**
@@ -722,7 +723,7 @@
int family,
const char *iface)
{
- return iptablesForwardRejectIn(ctx, family, iface, ADD);
+ return iptablesForwardRejectIn(ctx, family, iface, APPEND);
}
/**
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list