diff -r /etc/xensource/scripts.old/vif /etc/xensource/scripts/vif 26a27,29 > ofctl="/usr/bin/ovs-ofctl" > > IP_RESTRICTION="/etc/xensource/ip_restriction.conf" 156a160,206 > > restrict_ipv4 () > { > #applying acl for specified port and ipv4 address > logger -t scripts-vif "VIF uuid=$vif device=$dev ovs_port=$port bridge=$bridge restricted to use IPv4 $IP only with mac $mac address." > $ofctl add-flow $bridge "in_port=$port priority=39000 dl_type=0x0800 nw_src=$IP dl_src=$mac idle_timeout=0 action=normal" > $ofctl add-flow $bridge "in_port=$port priority=38500 dl_type=0x0806 dl_src=$mac idle_timeout=0 action=normal" > $ofctl add-flow $bridge "in_port=$port priority=38000 idle_timeout=0 action=drop" > } > > apply_restriction() > { > #we reading file $IP_RESTRICTION (f.e. /etc/xensource/ip_restriction.conf) and apply it > #we supports only for openvswitch mode and silently ignore all others NETWORK_MODE > if [[ $NETWORK_MODE != "openvswitch" ]]; then > return 0 > fi > vif=$(xenstore-read "${PRIVATE}/vif-uuid" 2>/dev/null) > if [ -n "${vif}" ] ; then > bridge=$(xenstore-read "${PRIVATE}/bridge") > port=`$vsctl get Interface $dev ofport` > if [ -n "${bridge}" -a -n "${port}" ]; then > IP=`grep $vif $IP_RESTRICTION|head -n 1|awk '{print $2}'` > if [ -n "${IP}" ]; then > mac=$(xenstore-read "/local/domain/$DOMID/device/vif/$DEVID/mac" 2>/dev/null) > restrict_ipv4 > #here will be autoselection between IPv4 and IPv6 address to apply different filters > fi > fi > > fi > > } > > clear_restriction() > { > #we clear all restriction for port > #we supports only for openvswitch mode and silently ignore all others NETWORK_MODE > if [[ $NETWORK_MODE != "openvswitch" ]]; then > return 0 > fi > port=`$vsctl get Interface $dev ofport` > $ofctl del-flows xenbr1 "in_port=$port" > logger -t scripts-vif "cleaning all restriction for port $port device $dev" > > } > 210a261 > apply_restriction 223a275 > apply_restriction 231a284 > clear_restriction