xen-changelog

[Top] [All Lists]

[Xen-changelog] [xen-unstable] tools: dom0 iptables rule ordering change

from [Xen patchbot-unstable]

[Permanent Link][Original]

To:	xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-changelog] [xen-unstable] tools: dom0 iptables rule ordering change
From:	Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date:	Wed, 15 Apr 2009 05:55:16 -0700
Delivery-date:	Wed, 15 Apr 2009 05:55:32 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id:	BK change log <xen-changelog.lists.xensource.com>
List-post:	<mailto:xen-changelog@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to:	xen-devel@xxxxxxxxxxxxxxxxxxx
Sender:	xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1239704402 -3600
# Node ID e15d30dfb6003e10b1cc4189d7c25fb3a53ac4d1
# Parent  4063894c0c1fcd619e4b76916c919036567f3c07
tools: dom0 iptables rule ordering change

This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.

First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules.  This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.

Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow.  This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.

Signed-off-by: Chris Bookholt <hap10@xxxxxxxxxxxxxx>
---
 tools/hotplug/Linux/vif-common.sh |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

diff -r 4063894c0c1f -r e15d30dfb600 tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:18:37 2009 +0100
+++ b/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:20:02 2009 +0100
@@ -68,17 +68,20 @@ frob_iptable()
 {
   if [ "$command" == "online" ]
   then
-    local c="-A"
+    local c="-I"
   else
     local c="-D"
   fi
 
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null ||
-    [ "$c" == "-D" ] ||
-    log err \
-     "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed.
-If you are using iptables, this may affect networking for guest domains."
+    2>/dev/null &&
+  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+
+  if [ "$command" == "online" ] && [ $? ]
+  then
+    log err "iptables setup failed. This may affect guest networking."
+  fi
 }
 
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-changelog] [xen-unstable] tools: dom0 iptables rule ordering change, Xen patchbot-unstable <=

Previous by Date:	[Xen-changelog] [xen-unstable] [IA64] Fix unwind info of fast_hypercall, Xen patchbot-unstable
Next by Date:	[Xen-changelog] [xen-unstable] [XSM] missing entries to xsm_fixup_ops, Xen patchbot-unstable
Previous by Thread:	[Xen-changelog] [xen-unstable] [IA64] Fix unwind info of fast_hypercall, Xen patchbot-unstable
Next by Thread:	[Xen-changelog] [xen-unstable] [XSM] missing entries to xsm_fixup_ops, Xen patchbot-unstable
Indexes:	[Date] [Thread] [Top] [All Lists]