From: Stefan Berger <stefanb@us.ibm.com>
Date: Fri, 16 Apr 2010 11:34:36 +0000 (-0400)
Subject: nwfilter: Clear all state tracking from a drop rule
X-Git-Tag: v0.8.1~115
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2327278fb1c19400f7f30eb223a31e8c5f499a8;p=thirdparty%2Flibvirt.git

nwfilter: Clear all state tracking from a drop rule

Don't use state-matching in a drop rule.
---

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index b71c356023..f6542d52dc 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1380,13 +1380,16 @@ _iptablesCreateRuleInstance(int directionIn,
         return 0;
     }
 
-    if (match)
-        virBufferVSprintf(&buf, " %s", match);
-
     if (rule->action == VIR_NWFILTER_RULE_ACTION_ACCEPT)
         target = accept_target;
-    else
+    else {
         target = "DROP";
+        match = NULL;
+    }
+
+    if (match)
+        virBufferVSprintf(&buf, " %s", match);
+
 
     virBufferVSprintf(&buf,
                       " -j %s" CMD_DEF_POST CMD_SEPARATOR