From: Daniel P. Berrange <berrange@redhat.com>
Date: Fri, 28 Mar 2008 01:05:08 +0000 (+0000)
Subject: Tweak masquering rules to only capture traffic leaving the virtual network
X-Git-Tag: LIBVIRT_0_4_2~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7909d32766edf8edb3ded8a8b0fb148767bbec3;p=thirdparty%2Flibvirt.git

Tweak masquering rules to only capture traffic leaving the virtual network
---

diff --git a/ChangeLog b/ChangeLog
index b58c3f79ce..379a0930d1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Thu Mar 27 20:59:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com>
+
+	* src/iptables.c: Ensure masquering rule only catches traffic
+	leaving the virtual network, and not traffic inside it
+	(patch from Charles Duffy)
+
 Thu Mar 27 14:36:56 CET 2008 Jim Meyering <meyering@redhat.com>
 
 	lxcError: mark a string and add to the list of nearly-checked functions
diff --git a/src/iptables.c b/src/iptables.c
index 272ecb4a6a..6390e49c6b 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -1032,6 +1032,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--out-interface", physdev,
                                      "--jump", "MASQUERADE",
                                      NULL);
@@ -1039,6 +1040,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--jump", "MASQUERADE",
                                      NULL);
     }