提交 2dce9701 编写于 作者: S Stefan Berger

nwfilter: use match target on incoming traffic

The following patch enables the iptables match target to be used by
default for incoming traffic. So far it has only be used for outgoing
traffic.
上级 045a5722
......@@ -1488,18 +1488,25 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
char chainPrefix[2];
int needState = 1;
bool maySkipICMP, inout = false;
const char *matchState;
if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
(rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) {
directionIn = 1;
needState = 0;
inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT);
if (inout)
needState = 0;
}
chainPrefix[0] = 'F';
maySkipICMP = directionIn || inout;
if (needState)
matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
else
matchState = NULL;
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix,
......@@ -1508,8 +1515,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
ifname,
vars,
res,
needState ? MATCH_STATE_OUT
: NULL,
matchState,
"RETURN",
isIPv6,
maySkipICMP);
......@@ -1518,6 +1524,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
maySkipICMP = !directionIn || inout;
if (needState)
matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN;
else
matchState = NULL;
chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
rc = _iptablesCreateRuleInstance(!directionIn,
......@@ -1527,8 +1537,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
ifname,
vars,
res,
needState ? MATCH_STATE_IN
: NULL,
matchState,
"ACCEPT",
isIPv6,
maySkipICMP);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册