Tweak masquering rules to only capture traffic leaving the virtual network

diff --git a/ChangeLog b/ChangeLog
index b58c3f79ce0e5cf3b36ae1c7cfb92c5c5ee22097..379a0930d116548027545674623a83227b4f593e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Thu Mar 27 20:59:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com>
+
+       * src/iptables.c: Ensure masquering rule only catches traffic
+       leaving the virtual network, and not traffic inside it
+       (patch from Charles Duffy)
+
 Thu Mar 27 14:36:56 CET 2008 Jim Meyering <meyering@redhat.com>
 
        lxcError: mark a string and add to the list of nearly-checked functions

diff --git a/src/iptables.c b/src/iptables.c
index 272ecb4a6a976d364faec6a05576d97e68e8a078..6390e49c6bd6653500a3261c4f8d4f5e00b493c9 100644 (file)
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -1032,6 +1032,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--out-interface", physdev,
                                      "--jump", "MASQUERADE",
                                      NULL);
@@ -1039,6 +1040,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--jump", "MASQUERADE",
                                      NULL);
     }