From: Stefan Berger <stefanb@us.ibm.com>
Date: Tue, 19 Oct 2010 15:35:58 +0000 (-0400)
Subject: nwfilter: changes to rules in VM->host table
X-Git-Tag: v0.8.5~102
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d79da247a47343743364799cac65b148759fe6e;p=thirdparty%2Flibvirt.git

nwfilter: changes to rules in VM->host table

In the table built for traffic coming from the VM going to the host make the following changes:

- don't ACCEPT the packets but do a 'RETURN' and let the host-specific firewall rules in subsequent rules evaluate whether the traffic is allowed to enter

- use the '-m state' in the rules as everywhere else
---

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 23afc5e3d8..1115d15b67 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1790,6 +1790,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
         return rc;
 
     maySkipICMP = directionIn;
+    if (needState)
+        matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
+    else
+        matchState = NULL;
 
     chainPrefix[0] = 'H';
     chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
@@ -1800,8 +1804,8 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
                                      ifname,
                                      vars,
                                      res,
-                                     NULL, true,
-                                     "ACCEPT",
+                                     matchState, true,
+                                     "RETURN",
                                      isIPv6,
                                      maySkipICMP);