Tweak masquering rules to only capture traffic leaving the virtual network

2025-01-10 05:17:59 +03:00 · 2008-03-28 01:05:08 +00:00 · 2008-03-28 01:05:08 +00:00 · b7909d3276
commit b7909d3276
parent c5adab5270
2 changed files with 8 additions and 0 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+Thu Mar 27 20:59:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com>
+
+	* src/iptables.c: Ensure masquering rule only catches traffic
+	leaving the virtual network, and not traffic inside it
+	(patch from Charles Duffy)
+
 Thu Mar 27 14:36:56 CET 2008 Jim Meyering <meyering@redhat.com>

 	lxcError: mark a string and add to the list of nearly-checked functions
--- a/src/iptables.c
+++ b/src/iptables.c
@ -1032,6 +1032,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
        return iptablesAddRemoveRule(ctx->nat_postrouting,
                                     action,
                                     "--source", network,
+                                     "--destination", "!", network,
                                     "--out-interface", physdev,
                                     "--jump", "MASQUERADE",
                                     NULL);
@ -1039,6 +1040,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
        return iptablesAddRemoveRule(ctx->nat_postrouting,
                                     action,
                                     "--source", network,
+                                     "--destination", "!", network,
                                     "--jump", "MASQUERADE",
                                     NULL);
    }