iptablesHandleIpHdr(virBufferPtr buf,
virNWFilterHashTablePtr vars,
ipHdrDataDefPtr ipHdr,
- int directionIn)
+ int directionIn,
+ bool *skipRule, bool *skipMatch)
{
char ipaddr[INET6_ADDRSTRLEN],
number[20];
number);
}
+ if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
+ if (directionIn) {
+ // only support for limit in outgoing dir.
+ *skipRule = true;
+ } else {
+ if (printDataType(vars,
+ number, sizeof(number),
+ &ipHdr->dataConnlimitAbove))
+ goto err_exit;
+
+ virBufferVSprintf(buf,
+ " -m connlimit %s --connlimit-above %s",
+ ENTRY_GET_NEG_SIGN(&ipHdr->dataConnlimitAbove),
+ number);
+ *skipMatch = true;
+ }
+ }
+
return 0;
err_exit:
: iptables_cmd_path;
unsigned int bufUsed;
bool srcMacSkipped = false;
+ bool skipRule = false;
+ bool skipMatch = false;
if (!iptables_cmd) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.tcpHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
if (iptablesHandlePortData(&buf,
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.udpHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
if (iptablesHandlePortData(&buf,
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.udpliteHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
break;
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.espHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
break;
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.ahHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
break;
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.sctpHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
if (iptablesHandlePortData(&buf,
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.icmpHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.igmpHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
break;
if (iptablesHandleIpHdr(&buf,
vars,
&rule->p.allHdrFilter.ipHdr,
- directionIn))
+ directionIn,
+ &skipRule, &skipMatch))
goto err_exit;
break;
return -1;
}
- if (srcMacSkipped && bufUsed == virBufferUse(&buf)) {
+ if ((srcMacSkipped && bufUsed == virBufferUse(&buf)) ||
+ skipRule) {
virBufferFreeAndReset(&buf);
return 0;
}
target = accept_target;
else {
target = "DROP";
- match = NULL;
+ skipMatch = true;
}
- if (match)
+ if (match && !skipMatch)
virBufferVSprintf(&buf, " %s", match);
projects / people / liuw / libxenctrl-split / libvirt.git / commitdiff