[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain


  • To: xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>
  • Date: Tue, 7 Jul 2009 19:29:17 +0800
  • Delivery-date: Tue, 07 Jul 2009 04:29:42 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=iwXO1f9hZMP0q2L0BtYL8ORhIwsqv3paGnnfIDWVvpGJoxiCpGOe7KorZGX+SoIRwA a+9JY730ncKTcXjyGNZndRn1t1+2BroKdCzGd53mpNydNCZFFNXvQF7WWeCbHXVwzOPX HW9uMgSbxTDP+rgDrZm0SQ1pi2zgnzstCLF9I=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Hi Xen Development Team,

I submit the below patch for your consideration.  This is useful if
antispoof is enabled and tap network devices are used. i.e. HVM
windows.

--- vif-common.sh.orig  2009-07-07 19:09:39.000000000 +0800
+++ vif-common.sh       2009-07-07 19:19:42.000000000 +0800
@@ -73,6 +73,21 @@
     local c="-D"
   fi

+  # Added support for tap network devices in iptables FORWARD chain as this
+  # is required if antispoof is enabled or otherwise all packets to/from tap
+  # devices will be dropped.
+  # Start adding by Giam Teck Choon.
+  local tapif=`echo $vif | sed 's/vif/tap/'`
+  local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+
+  if [ -n "$checktapif" ] ; then
+    iptables "$c" FORWARD -m physdev --physdev-in "$tapif" "$@" -j ACCEPT \
+      2>/dev/null &&
+    iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+      --physdev-out "$tapif" -j ACCEPT 2>/dev/null
+  fi
+  # End adding by Giam Teck Choon.
+
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
     2>/dev/null &&
   iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \


Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.