nwfilter: avoid dir. enforcement for certain types of rules

Avoid the enforcement of direction if - icmp rules specify the type/code information - the 'skipMatch' variable is set to 'true'

nwfilter: avoid dir. enforcement for certain types of rules
Avoid the enforcement of direction if - icmp rules specify the type/code information - the 'skipMatch' variable is set to 'true'
c2fbdf10 · Stefan Berger · 956e3c58 · c2fbdf10
隐藏空白更改
内联并排

Showing with 4 addition and 1 deletion

src/nwfilter/nwfilter_ebiptables_driver.c src/nwfilter/nwfilter_ebiptables_driver.c +4 -1

未找到文件。
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1159,6 +1159,7 @@ _iptablesCreateRuleInstance(int directionIn,
    bool srcMacSkipped = false;
    bool skipRule = false;
    bool skipMatch = false;
+    bool hasICMPType = false;

    if (!iptables_cmd) {
        virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1399,6 +1400,8 @@ _iptablesCreateRuleInstance(int directionIn,
        if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
            const char *parm;

+            hasICMPType = true;
+
            if (maySkipICMP)
                goto exit_no_error;

@@ -1507,7 +1510,7 @@ _iptablesCreateRuleInstance(int directionIn,
    if (match && !skipMatch)
        virBufferVSprintf(&buf, " %s", match);

-    if (defMatch && match != NULL)
+    if (defMatch && match != NULL && !skipMatch && !hasICMPType)
        iptablesEnforceDirection(directionIn,
                                 rule,
                                 &buf);