On Wed, Apr 16, 2014 at 03:38:39PM -0400, Stefan Berger wrote: > > } > > > > if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) { > >- printCommentVar(prefix, ipHdr->dataComment.u.string); > >- > > /* keep comments behind everything else -- they are packet eval. > > no-ops */ > >- virBufferAddLit(afterStateMatch, > >- " -m comment --comment \"$" COMMENT_VARNAME "\""); > >+ virFirewallRuleAddArgList(fw, fwrule, > >+ "-m", "comment", > >+ "--comment", ipHdr->dataComment.u.string, > >+ NULL); > > } > > The interesting part about comments was before to ensure that $(foo) > never executes in a subshell. With TCK passing it seems this > concern is addressed. Well the way we execute iptables now means that the shell is never involved in any part of the stack, so the issue goes away entirely. > > } else { > > if (virNWFilterRuleIsProtocolIPv4(rules[i]->def)) > > haveIptables = true; > >- else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def)) > >+ else if (virNWFilterRuleIsProtocolIPv6(rules[i]->def)) > > haveIp6tables = true; > > Ah, this is probably the reason why IPv6 rules didn't work in TCK > and 23/26 now fixes it. That's probably a typo introduced in 8/26. > If you want to go back to 8/26 to fix this ... unless this has other > negative side effects during the surgery. Up to you. Yep, easy to fix the original. Thanks for finding this. > > > > if (haveIptables) { > > Based on your comment in another patch, now I am surprised to still > see this check 'haveIptables' here. Wouldn't the rpm also solve this > here as well? This boolean is about whether any iptables rules are defined for the filter. It lets us avoid creating the base chains if there are no rules to put in them. > > > > if (haveIp6tables) { > > ... also this here. Likewise. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list