On a Tuesday in 2025, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@xxxxxxxxxx> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- NEWS.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index e5e8626729..c7bfac1db4 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -48,6 +48,14 @@ v11.6.0 (unreleased) * **Bug fixes** + * The nwfilter driver no longer recreates the base iptable/ip6tables chains + + The nwfilter driver had a impl mistake causing it to recreate the
I'd rather spell out implementation fully here.
+ base chains for iptables/ip6tables every time a VM was started. + This allowed a small window where traffic might not be fully + filtered. It now handles iptables/ip6tables the same way as + ebtables, creating the base chains only if they did not already + exist. v11.5.0 (2025-07-01) ====================
Reviewed-by: Ján Tomko <jtomko@xxxxxxxxxx> Jano
Attachment:
signature.asc
Description: PGP signature
