From: Stefan Berger <stefanb@us.ibm.com>
Date: Thu, 17 Jun 2010 11:15:20 +0000 (-0400)
Subject: nwfilter: use match target on incoming traffic
X-Git-Tag: v0.8.2~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dce970162b3e45c796dfab9da8490c7b18b4533;p=thirdparty%2Flibvirt.git

nwfilter: use match target on incoming traffic

The following patch enables the iptables match target to be used by
default for incoming traffic. So far it has only be used for outgoing
traffic.
---

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index ae21906122..2fa78d065b 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1488,18 +1488,25 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
     char chainPrefix[2];
     int needState = 1;
     bool maySkipICMP, inout = false;
+    const char *matchState;
 
     if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
         (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) {
         directionIn = 1;
-        needState = 0;
         inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT);
+        if (inout)
+            needState = 0;
     }
 
     chainPrefix[0] = 'F';
 
     maySkipICMP = directionIn || inout;
 
+    if (needState)
+        matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
+    else
+        matchState = NULL;
+
     chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
     rc = _iptablesCreateRuleInstance(directionIn,
                                      chainPrefix,
@@ -1508,8 +1515,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
                                      ifname,
                                      vars,
                                      res,
-                                     needState ? MATCH_STATE_OUT
-                                               : NULL,
+                                     matchState,
                                      "RETURN",
                                      isIPv6,
                                      maySkipICMP);
@@ -1518,6 +1524,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
 
 
     maySkipICMP = !directionIn || inout;
+    if (needState)
+        matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN;
+    else
+        matchState = NULL;
 
     chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
     rc = _iptablesCreateRuleInstance(!directionIn,
@@ -1527,8 +1537,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
                                      ifname,
                                      vars,
                                      res,
-                                     needState ? MATCH_STATE_IN
-                                               : NULL,
+                                     matchState,
                                      "ACCEPT",
                                      isIPv6,
                                      maySkipICMP);