From d175caad25a4e80800d5e7e7d8c9d920a88b78e1 Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange@redhat.com>
Date: Fri, 28 Mar 2008 01:05:08 +0000
Subject: [PATCH] Tweak masquering rules to only capture traffic leaving the virtual network

---
 ChangeLog      |    6 ++++++
 src/iptables.c |    2 ++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b58c3f7..379a093 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Thu Mar 27 20:59:56 EDT 2008 Daniel P. Berrange <berrange@redhat.com>
+
+	* src/iptables.c: Ensure masquering rule only catches traffic
+	leaving the virtual network, and not traffic inside it
+	(patch from Charles Duffy)
+
 Thu Mar 27 14:36:56 CET 2008 Jim Meyering <meyering@redhat.com>
 
 	lxcError: mark a string and add to the list of nearly-checked functions
diff --git a/src/iptables.c b/src/iptables.c
index 272ecb4..6390e49 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -1032,6 +1032,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--out-interface", physdev,
                                      "--jump", "MASQUERADE",
                                      NULL);
@@ -1039,6 +1040,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--jump", "MASQUERADE",
                                      NULL);
     }
-- 
1.5.5.rc1