nwfiler: fix due to non-symmetric src mac address match in iptables
The attached patch fixes a problem due to the mac match in iptables only supporting --mac-source and no --mac-destination, thus it not being symmetric. Therefore a rule like this one <rule action='drop' direction='out'> <all match='no' srcmacaddr='$MAC'/> </rule> should only have the MAC match on traffic leaving the VM and not test for the same source MAC address on traffic that the VM receives.
Showing
想要评论请 注册 或 登录