nwfilter: use match target on incoming traffic

The following patch enables the iptables match target to be used by default for incoming traffic. So far it has only be used for outgoing traffic.

nwfilter: use match target on incoming traffic
The following patch enables the iptables match target to be used by default for incoming traffic. So far it has only be used for outgoing traffic.
2dce9701 · Stefan Berger · 045a5722 · 2dce9701
隐藏空白更改
内联并排

Showing with 14 addition and 5 deletion

src/nwfilter/nwfilter_ebiptables_driver.c src/nwfilter/nwfilter_ebiptables_driver.c +14 -5

未找到文件。
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1488,18 +1488,25 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
    char chainPrefix[2];
    int needState = 1;
    bool maySkipICMP, inout = false;
+    const char *matchState;
    if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
        (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) {
        directionIn = 1;
-        needState = 0;
        inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT);
+        if (inout)
+            needState = 0;
    }
    chainPrefix[0] = 'F';
    maySkipICMP = directionIn || inout;
+    if (needState)
+        matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
+    else
+        matchState = NULL;
    chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
    rc = _iptablesCreateRuleInstance(directionIn,
                                     chainPrefix,
@@ -1508,8 +1515,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
                                     ifname,
                                     vars,
                                     res,
-                                     needState ? MATCH_STATE_OUT
+                                     matchState,
-                                               : NULL,
                                     "RETURN",
                                     isIPv6,
                                     maySkipICMP);
@@ -1518,6 +1524,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
    maySkipICMP = !directionIn || inout;
+    if (needState)
+        matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN;
+    else
+        matchState = NULL;
    chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
    rc = _iptablesCreateRuleInstance(!directionIn,
@@ -1527,8 +1537,7 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
                                     ifname,
                                     vars,
                                     res,
-                                     needState ? MATCH_STATE_IN
+                                     matchState,
-                                               : NULL,
                                     "ACCEPT",
                                     isIPv6,
                                     maySkipICMP);