From e44b28a0daa771c67fa8672f89f7d52ee1bfec22 Mon Sep 17 00:00:00 2001
From: Soren Hansen <soren@linux2go.dk>
Date: Tue, 25 Jan 2011 21:20:42 +0100
Subject: Perform same filtering for OUTPUT as FORWARD in iptables. This
 removes a way around the filtering.

---
 nova/virt/libvirt_conn.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py
index 37eb02e4f..ac7fd8ef0 100644
--- a/nova/virt/libvirt_conn.py
+++ b/nova/virt/libvirt_conn.py
@@ -1228,6 +1228,7 @@ class IptablesFirewallDriver(FirewallDriver):
 
         our_chains += [':nova-local - [0:0]']
         our_rules += ['-A FORWARD -j nova-local']
+        our_rules += ['-A OUTPUT -j nova-local']
 
         security_groups = {}
         # Add our chains
-- 
cgit