nwfilter: avoid dir. enforcement for certain types of rules

 Avoid the enforcement of direction if
- icmp rules specify the type/code information
- the 'skipMatch' variable is set to 'true'

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 1115d15b67980f498f21c083c239c15abf9bb38d..3eb136894c7a3d05a0072de0c961c589244049b3 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1159,6 +1159,7 @@ _iptablesCreateRuleInstance(int directionIn,
     bool srcMacSkipped = false;
     bool skipRule = false;
     bool skipMatch = false;
+    bool hasICMPType = false;
 
     if (!iptables_cmd) {
         virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1399,6 +1400,8 @@ _iptablesCreateRuleInstance(int directionIn,
         if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
             const char *parm;
 
+            hasICMPType = true;
+
             if (maySkipICMP)
                 goto exit_no_error;
 
@@ -1507,7 +1510,7 @@ _iptablesCreateRuleInstance(int directionIn,
     if (match && !skipMatch)
         virBufferVSprintf(&buf, " %s", match);
 
-    if (defMatch && match != NULL)
+    if (defMatch && match != NULL && !skipMatch && !hasICMPType)
         iptablesEnforceDirection(directionIn,
                                  rule,
                                  &buf);