diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2016-01-21 16:39:55 +0100 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2016-01-23 10:19:39 +0100 |
commit | eadb0051dc0715499c3b50a057bb1b49e9ef7da2 (patch) | |
tree | 7774d1955c0ef874841a5c2fa575d960194fb61d | |
parent | b95c88284dd58d871c88850cb4570119684f4f06 (diff) | |
download | NetworkManager-eadb0051dc0715499c3b50a057bb1b49e9ef7da2.tar.gz |
core: list iptables sharing rules in the right order
The rules were added to the list using g_slist_append() and then
applied one at time using "iptables --insert" which puts them at the
beginning of the chain, reversing the initial order.
Instead, list them in the desired order and use g_slist_prepend() to
achieve the same result. This has no functional changes.
(cherry picked from commit 8cba3e046eb8e3db9ab0bd55bbadc6cb8043096d)
-rw-r--r-- | src/devices/nm-device.c | 18 | ||||
-rw-r--r-- | src/nm-activation-request.c | 2 |
2 files changed, 10 insertions, 10 deletions
diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c index 735f509f7c..6fa64b19dd 100644 --- a/src/devices/nm-device.c +++ b/src/devices/nm-device.c @@ -5695,16 +5695,16 @@ start_sharing (NMDevice *self, NMIP4Config *config) req = nm_device_get_act_request (self); g_assert (req); - add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 53 --jump ACCEPT", ip_iface); - add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 53 --jump ACCEPT", ip_iface); - add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 67 --jump ACCEPT", ip_iface); - add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 67 --jump ACCEPT", ip_iface); - add_share_rule (req, "filter", "FORWARD --in-interface %s --jump REJECT", ip_iface); - add_share_rule (req, "filter", "FORWARD --out-interface %s --jump REJECT", ip_iface); - add_share_rule (req, "filter", "FORWARD --in-interface %s --out-interface %s --jump ACCEPT", ip_iface, ip_iface); - add_share_rule (req, "filter", "FORWARD --source %s/%s --in-interface %s --jump ACCEPT", str_addr, str_mask, ip_iface); - add_share_rule (req, "filter", "FORWARD --destination %s/%s --out-interface %s --match state --state ESTABLISHED,RELATED --jump ACCEPT", str_addr, str_mask, ip_iface); add_share_rule (req, "nat", "POSTROUTING --source %s/%s ! --destination %s/%s --jump MASQUERADE", str_addr, str_mask, str_addr, str_mask); + add_share_rule (req, "filter", "FORWARD --destination %s/%s --out-interface %s --match state --state ESTABLISHED,RELATED --jump ACCEPT", str_addr, str_mask, ip_iface); + add_share_rule (req, "filter", "FORWARD --source %s/%s --in-interface %s --jump ACCEPT", str_addr, str_mask, ip_iface); + add_share_rule (req, "filter", "FORWARD --in-interface %s --out-interface %s --jump ACCEPT", ip_iface, ip_iface); + add_share_rule (req, "filter", "FORWARD --out-interface %s --jump REJECT", ip_iface); + add_share_rule (req, "filter", "FORWARD --in-interface %s --jump REJECT", ip_iface); + add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 67 --jump ACCEPT", ip_iface); + add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 67 --jump ACCEPT", ip_iface); + add_share_rule (req, "filter", "INPUT --in-interface %s --protocol udp --destination-port 53 --jump ACCEPT", ip_iface); + add_share_rule (req, "filter", "INPUT --in-interface %s --protocol tcp --destination-port 53 --jump ACCEPT", ip_iface); nm_act_request_set_shared (req, TRUE); diff --git a/src/nm-activation-request.c b/src/nm-activation-request.c index 2c084b874e..6a05f452fe 100644 --- a/src/nm-activation-request.c +++ b/src/nm-activation-request.c @@ -274,7 +274,7 @@ nm_act_request_add_share_rule (NMActRequest *req, rule = g_malloc0 (sizeof (ShareRule)); rule->table = g_strdup (table); rule->rule = g_strdup (table_rule); - priv->share_rules = g_slist_append (priv->share_rules, rule); + priv->share_rules = g_slist_prepend (priv->share_rules, rule); } /********************************************************************/ |