[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Re: [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain

  • To: xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>
  • Date: Tue, 14 Jul 2009 12:07:33 +0800
  • Delivery-date: Mon, 13 Jul 2009 21:07:58 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=k9LQgCpvfSqwQc/13eVCVltaVnyz2vd/qaJyFGfghjb7KqrIHBgaToW8usiPMf+MpY qRaF9gYVjcNxO2YX6ZDuhgCf9CuJvj+W9wiam22Qy8kvPLvC6I6mYMDKgUNHLhnBIPP4 pgmwtnweOA66sl1BKEXDxpizLRlwkBQoF2l0s=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Hi,

On Tue, Jul 14, 2009 at 7:45 AM, Simon Horman<horms@xxxxxxxxxxxx> wrote:
> Hi,
>
> On Tue, Jul 07, 2009 at 07:49:15PM +0800, Teck Choon Giam wrote:
>> Sorry, the previous patch I sent in only support xm create to add in
>> iptables FORWARD chain but when you xm shutdown the tap related
>> ruleset is not removed from iptables FORWARD chain.  Below is the
>> patch which support xm create and xm shutdown.
>>
>> --- vif-common.sh.orig  2009-07-07 19:09:39.000000000 +0800
>> +++ vif-common.sh       2009-07-07 19:47:48.000000000 +0800
>> @@ -73,6 +73,24 @@
>>      local c="-D"
>>    fi
>>
>> +  # Added support for tap network devices in iptables FORWARD chain as this
>> +  # is required if antispoof is enabled or otherwise all packets to/from tap
>> +  # devices will be dropped.
>> +  # Start adding by Giam Teck Choon.
>
> Its not necessary to add comments that read like a changelog as
> they go in the changelog which is included in the version control system.
> Rather, comments in the code should just explain what the code does.

Then there isn't a need to have such comments in the patch I submit.
I will remove the comments then if the patch is fine.

>
>> +  local tapif=`echo $vif | sed 's/vif/tap/'`
>> +  # for xm create
>> +  local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
>
> Why is the second grep needed?

This is just my habit to include grep -v grep and you are free to
remove it.  Some shell scripts I coded needed that if the grep result
grep itself especially for ps fauwx related.

>> +  # for xm shutdown
>> +  local checktapstate=`iptables -L -n | grep "state
>> RELATED,ESTABLISHED PHYSDEV match --physdev-out ${tapif}"`
>> +
>> +  if [ -n "$checktapif" ] || [ -n "$checktapstate" ] ; then
>> +    iptables "$c" FORWARD -m physdev --physdev-in "$tapif" "$@" -j ACCEPT \
>> +      2>/dev/null &&
>> +    iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
>> +      --physdev-out "$tapif" -j ACCEPT 2>/dev/null
>> +  fi
>> +  # End adding by Giam Teck Choon.
>
> Comments like this are not necessary either.

Ok noted.

Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.