ia64/xen-unstable

changeset 19540:e15d30dfb600

tools: dom0 iptables rule ordering change

This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.

First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules. This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.

Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow. This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.

Signed-off-by: Chris Bookholt <hap10@tycho.ncsc.mil>
author Keir Fraser <keir.fraser@citrix.com>
date Tue Apr 14 11:20:02 2009 +0100 (2009-04-14)
parents 4063894c0c1f
children 0108af6efdae
files tools/hotplug/Linux/vif-common.sh
line diff
     1.1 --- a/tools/hotplug/Linux/vif-common.sh	Tue Apr 14 11:18:37 2009 +0100
     1.2 +++ b/tools/hotplug/Linux/vif-common.sh	Tue Apr 14 11:20:02 2009 +0100
     1.3 @@ -68,17 +68,20 @@ frob_iptable()
     1.4  {
     1.5    if [ "$command" == "online" ]
     1.6    then
     1.7 -    local c="-A"
     1.8 +    local c="-I"
     1.9    else
    1.10      local c="-D"
    1.11    fi
    1.12  
    1.13    iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
    1.14 -    2>/dev/null ||
    1.15 -    [ "$c" == "-D" ] ||
    1.16 -    log err \
    1.17 -     "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed.
    1.18 -If you are using iptables, this may affect networking for guest domains."
    1.19 +    2>/dev/null &&
    1.20 +  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
    1.21 +    --physdev-out "$vif" -j ACCEPT 2>/dev/null
    1.22 +
    1.23 +  if [ "$command" == "online" ] && [ $? ]
    1.24 +  then
    1.25 +    log err "iptables setup failed. This may affect guest networking."
    1.26 +  fi
    1.27  }
    1.28  
    1.29