[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] tools: dom0 iptables rule ordering change

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1239704402 -3600
# Node ID e15d30dfb6003e10b1cc4189d7c25fb3a53ac4d1
# Parent  4063894c0c1fcd619e4b76916c919036567f3c07
tools: dom0 iptables rule ordering change

This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.

First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules.  This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.

Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow.  This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.

Signed-off-by: Chris Bookholt <hap10@xxxxxxxxxxxxxx>
---
 tools/hotplug/Linux/vif-common.sh |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

diff -r 4063894c0c1f -r e15d30dfb600 tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:18:37 2009 +0100
+++ b/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:20:02 2009 +0100
@@ -68,17 +68,20 @@ frob_iptable()
 {
   if [ "$command" == "online" ]
   then
-    local c="-A"
+    local c="-I"
   else
     local c="-D"
   fi
 
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null ||
-    [ "$c" == "-D" ] ||
-    log err \
-     "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed.
-If you are using iptables, this may affect networking for guest domains."
+    2>/dev/null &&
+  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+
+  if [ "$command" == "online" ] && [ $? ]
+  then
+    log err "iptables setup failed. This may affect guest networking."
+  fi
 }
 
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.