diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2009-04-14 11:20:02 +0100 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2009-04-14 11:20:02 +0100 |
commit | 891410cbc469d93c3c6bb102ac83ea2036c79983 (patch) | |
tree | fa520f4b0ffd0264cb5cc42c7409036174e76c8d | |
parent | 1761777e90bc9c386faeeaab2f3cb5c076ace86f (diff) | |
download | xen-891410cbc469d93c3c6bb102ac83ea2036c79983.tar.gz xen-891410cbc469d93c3c6bb102ac83ea2036c79983.tar.bz2 xen-891410cbc469d93c3c6bb102ac83ea2036c79983.zip |
tools: dom0 iptables rule ordering change
This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.
First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules. This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.
Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow. This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.
Signed-off-by: Chris Bookholt <hap10@tycho.ncsc.mil>
-rw-r--r-- | tools/hotplug/Linux/vif-common.sh | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh index ee67ee2aaa..5c1e9c3ea5 100644 --- a/tools/hotplug/Linux/vif-common.sh +++ b/tools/hotplug/Linux/vif-common.sh @@ -68,17 +68,20 @@ frob_iptable() { if [ "$command" == "online" ] then - local c="-A" + local c="-I" else local c="-D" fi iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ - 2>/dev/null || - [ "$c" == "-D" ] || - log err \ - "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed. -If you are using iptables, this may affect networking for guest domains." + 2>/dev/null && + iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ + --physdev-out "$vif" -j ACCEPT 2>/dev/null + + if [ "$command" == "online" ] && [ $? ] + then + log err "iptables setup failed. This may affect guest networking." + fi } |