From 2dce970162b3e45c796dfab9da8490c7b18b4533 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 17 Jun 2010 07:15:20 -0400 Subject: [PATCH] nwfilter: use match target on incoming traffic The following patch enables the iptables match target to be used by default for incoming traffic. So far it has only be used for outgoing traffic. --- src/nwfilter/nwfilter_ebiptables_driver.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index ae21906122..2fa78d065b 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1488,18 +1488,25 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, char chainPrefix[2]; int needState = 1; bool maySkipICMP, inout = false; + const char *matchState; if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) || (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) { directionIn = 1; - needState = 0; inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT); + if (inout) + needState = 0; } chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; + if (needState) + matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT; + else + matchState = NULL; + chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; rc = _iptablesCreateRuleInstance(directionIn, chainPrefix, @@ -1508,8 +1515,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ifname, vars, res, - needState ? MATCH_STATE_OUT - : NULL, + matchState, "RETURN", isIPv6, maySkipICMP); @@ -1518,6 +1524,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, maySkipICMP = !directionIn || inout; + if (needState) + matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN; + else + matchState = NULL; chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP; rc = _iptablesCreateRuleInstance(!directionIn, @@ -1527,8 +1537,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ifname, vars, res, - needState ? MATCH_STATE_IN - : NULL, + matchState, "ACCEPT", isIPv6, maySkipICMP); -- GitLab