On 03/11/2014 01:33 PM, Stefan Berger wrote: > From: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> > > Recent Linux iptables (3.11.7) refuses to create iptables MAC address > check rules using -m mac --mac-source <addr> where previous versions > still allowed it. So we now need to deactivate the filtering rules for > when the incoming traffic is filtered before it is sent into the VM. > Those are typically the chains that start with FO-* or start with FP-* > when they are being built. > > Adapt the documentation to reflect the fact that srcmacaddr, when > used in iptables rules, should be regarded as deprecated due to the > above mentioned problems. > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> > --- > docs/formatnwfilter.html.in | 42 +++++-------------------------- > src/nwfilter/nwfilter_ebiptables_driver.c | 29 +++++++++++++-------- > 2 files changed, 24 insertions(+), 47 deletions(-) > > diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in > index 4b95fce..ee23d8e 100644 > --- a/docs/formatnwfilter.html.in > +++ b/docs/formatnwfilter.html.in > @@ -1209,7 +1209,7 @@ > <tr> > <td>srcmacaddr</td> > <td>MAC_ADDR</td> > - <td>MAC address of sender</td> > + <td>MAC address of sender; this option is deprecated</td> Generally, when declaring something deprecated, it helps to say what the preferred alternative is (or admit that the option never made sense in the first place). > > + /* recent Linux iptables does not allow this filteirng rule to be Oops, still missed s/filteirng/filtering/ -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list