nwfilter: changes to rules in VM->host table

In the table built for traffic coming from the VM going to the host make the following changes: - don't ACCEPT the packets but do a 'RETURN' and let the host-specific firewall rules in subsequent rules evaluate whether the traffic is allowed to enter - use the '-m state' in the rules as everywhere else

nwfilter: changes to rules in VM->host table
In the table built for traffic coming from the VM going to the host make the following changes: - don't ACCEPT the packets but do a 'RETURN' and let the host-specific firewall rules in subsequent rules evaluate whether the traffic is allowed to enter - use the '-m state' in the rules as everywhere else
7d79da24 · Stefan Berger · 6dcd9c0d · 7d79da24
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

src/nwfilter/nwfilter_ebiptables_driver.c src/nwfilter/nwfilter_ebiptables_driver.c +6 -2

未找到文件。
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1790,6 +1790,10 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
        return rc;
    maySkipICMP = directionIn;
+    if (needState)
+        matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
+    else
+        matchState = NULL;
    chainPrefix[0] = 'H';
    chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
@@ -1800,8 +1804,8 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
                                     ifname,
                                     vars,
                                     res,
-                                     NULL, true,
+                                     matchState, true,
-                                     "ACCEPT",
+                                     "RETURN",
                                     isIPv6,
                                     maySkipICMP);