ia64/xen-unstable
changeset 19540:e15d30dfb600
tools: dom0 iptables rule ordering change
This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.
First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules. This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.
Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow. This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.
Signed-off-by: Chris Bookholt <hap10@tycho.ncsc.mil>
This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.
First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules. This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.
Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow. This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.
Signed-off-by: Chris Bookholt <hap10@tycho.ncsc.mil>
| author | Keir Fraser <keir.fraser@citrix.com> |
|---|---|
| date | Tue Apr 14 11:20:02 2009 +0100 (2009-04-14) |
| parents | 4063894c0c1f |
| children | 0108af6efdae |
| files | tools/hotplug/Linux/vif-common.sh |
line diff
1.1 --- a/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:18:37 2009 +0100 1.2 +++ b/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:20:02 2009 +0100 1.3 @@ -68,17 +68,20 @@ frob_iptable() 1.4 { 1.5 if [ "$command" == "online" ] 1.6 then 1.7 - local c="-A" 1.8 + local c="-I" 1.9 else 1.10 local c="-D" 1.11 fi 1.12 1.13 iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ 1.14 - 2>/dev/null || 1.15 - [ "$c" == "-D" ] || 1.16 - log err \ 1.17 - "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed. 1.18 -If you are using iptables, this may affect networking for guest domains." 1.19 + 2>/dev/null && 1.20 + iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ 1.21 + --physdev-out "$vif" -j ACCEPT 2>/dev/null 1.22 + 1.23 + if [ "$command" == "online" ] && [ $? ] 1.24 + then 1.25 + log err "iptables setup failed. This may affect guest networking." 1.26 + fi 1.27 } 1.28 1.29