From: Stefan Berger <stefanb@us.ibm.com>
Date: Tue, 19 Oct 2010 23:25:37 +0000 (-0400)
Subject: nwfilter: avoid dir. enforcement for certain types of rules
X-Git-Tag: v0.8.5~77
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2fbdf1088cb5756f04afef8abd6a4b676771f80;p=thirdparty%2Flibvirt.git

nwfilter: avoid dir. enforcement for certain types of rules

 Avoid the enforcement of direction if
- icmp rules specify the type/code information
- the 'skipMatch' variable is set to 'true'
---

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 1115d15b67..3eb136894c 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1159,6 +1159,7 @@ _iptablesCreateRuleInstance(int directionIn,
     bool srcMacSkipped = false;
     bool skipRule = false;
     bool skipMatch = false;
+    bool hasICMPType = false;
 
     if (!iptables_cmd) {
         virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1399,6 +1400,8 @@ _iptablesCreateRuleInstance(int directionIn,
         if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
             const char *parm;
 
+            hasICMPType = true;
+
             if (maySkipICMP)
                 goto exit_no_error;
 
@@ -1507,7 +1510,7 @@ _iptablesCreateRuleInstance(int directionIn,
     if (match && !skipMatch)
         virBufferVSprintf(&buf, " %s", match);
 
-    if (defMatch && match != NULL)
+    if (defMatch && match != NULL && !skipMatch && !hasICMPType)
         iptablesEnforceDirection(directionIn,
                                  rule,
                                  &buf);