 Home |
Products |
Support |
Community |
News |
xen-devel
[Xen-devel] [PATCH] vif-common.sh to support tap network devices in ipta
| To: | xen-devel@xxxxxxxxxxxxxxxxxxx |
|---|---|
| Subject: | [Xen-devel] [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain |
| From: | Teck Choon Giam <giamteckchoon@xxxxxxxxx> |
| Date: | Tue, 7 Jul 2009 19:29:17 +0800 |
| Delivery-date: | Tue, 07 Jul 2009 04:29:42 -0700 |
| Dkim-signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=O5GJiDR7eq6B/uP5V2q3Uk9G17cdMuM54XjusrVqcz4=; b=Jijph+o5/LRRNlnTsJWmMvinGrt3N+IMbfDLYnclexnz+U5kmv/Rh0AEl8AIpCg8uG s7DMhu6xyHNj2bHA8IXIY4eUjJHoWsTC5cKzrd2gnvUjN3LcrgpTHgCfUG27+Zkjkjdl gCOM3/lfdg0KT03mX0M2tb1Wuat92nmiNu9Ao= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=iwXO1f9hZMP0q2L0BtYL8ORhIwsqv3paGnnfIDWVvpGJoxiCpGOe7KorZGX+SoIRwA a+9JY730ncKTcXjyGNZndRn1t1+2BroKdCzGd53mpNydNCZFFNXvQF7WWeCbHXVwzOPX HW9uMgSbxTDP+rgDrZm0SQ1pi2zgnzstCLF9I= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
Hi Xen Development Team,
I submit the below patch for your consideration. This is useful if
antispoof is enabled and tap network devices are used. i.e. HVM
windows.
--- vif-common.sh.orig 2009-07-07 19:09:39.000000000 +0800
+++ vif-common.sh 2009-07-07 19:19:42.000000000 +0800
@@ -73,6 +73,21 @@
local c="-D"
fi
+ # Added support for tap network devices in iptables FORWARD chain as this
+ # is required if antispoof is enabled or otherwise all packets to/from tap
+ # devices will be dropped.
+ # Start adding by Giam Teck Choon.
+ local tapif=`echo $vif | sed 's/vif/tap/'`
+ local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+
+ if [ -n "$checktapif" ] ; then
+ iptables "$c" FORWARD -m physdev --physdev-in "$tapif" "$@" -j ACCEPT \
+ 2>/dev/null &&
+ iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+ --physdev-out "$tapif" -j ACCEPT 2>/dev/null
+ fi
+ # End adding by Giam Teck Choon.
+
iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
2>/dev/null &&
iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
Thanks.
Kindest regards,
Giam Teck Choon
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [Xen-devel] Re: Xen pv kernel (2.6.30) causes s2ram to crash with segmentation fault, Tom Rotenberg |
|---|---|
| Next by Date: | [Xen-devel] Re: [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain, Teck Choon Giam |
| Previous by Thread: | [Xen-devel] xend permission error, Ji Hoo |
| Next by Thread: | [Xen-devel] Re: [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain, Teck Choon Giam |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
