Xen project Mailing List

[Xen-devel] [PATCH 2/5] hotplug/linux: Properly match input/output interfaces for non-bridge mode

From: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx>

Date: Tue, 24 Jan 2017 16:49:18 +0000

Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Delivery-date: Tue, 24 Jan 2017 16:51:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

The "-m physdev --physdev-is-bridged --physdev-XXX" condition only works for ports of a bridge and won't match anything in the other cases. Signed-off-by: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx> --- tools/hotplug/Linux/vif-bridge | 2 +- tools/hotplug/Linux/vif-common.sh | 14 ++++++++++++-- tools/hotplug/Linux/vif-openvswitch | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/tools/hotplug/Linux/vif-bridge b/tools/hotplug/Linux/vif-bridge index 6956dea..bc0e944 100644 --- a/tools/hotplug/Linux/vif-bridge +++ b/tools/hotplug/Linux/vif-bridge @@ -93,7 +93,7 @@ case "$command" in ;; esac -handle_iptable +handle_iptable bridge call_hooks vif post diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh index 33e5408..77d139d 100644 --- a/tools/hotplug/Linux/vif-common.sh +++ b/tools/hotplug/Linux/vif-common.sh @@ -129,9 +129,9 @@ frob_iptable() local c="-D" fi - iptables "$c" FORWARD -w -m physdev --physdev-is-bridged --physdev-in "$dev" \ + iptables "$c" FORWARD -w $dev_in_match "$dev" \ "$@" -j ACCEPT 2>/dev/null && - iptables "$c" FORWARD -w -m physdev --physdev-is-bridged --physdev-out "$dev" \ + iptables "$c" FORWARD -w $dev_out_match "$dev" \ -j ACCEPT 2>/dev/null if [ $ "$command" == "online" -o "$command" == "add" $ -a $? -ne 0 ] @@ -150,6 +150,16 @@ frob_iptable() # handle_iptable() { + # Set iptables match mode + if [ "$1" == "bridge" ]; + then + dev_in_match="-m physdev --physdev-is-bridged --physdev-in" + dev_out_match="-m physdev --physdev-is-bridged --physdev-out" + else + dev_in_match="-i" + dev_out_match="-o" + fi + # Check for a working iptables installation. Checking for the iptables # binary is not sufficient, because the user may not have the appropriate # modules installed. If iptables is not working, then there's no need to do diff --git a/tools/hotplug/Linux/vif-openvswitch b/tools/hotplug/Linux/vif-openvswitch index 18bfb6c..1d842a4 100644 --- a/tools/hotplug/Linux/vif-openvswitch +++ b/tools/hotplug/Linux/vif-openvswitch @@ -100,7 +100,7 @@ case "$command" in esac if [ "$type_if" = vif ]; then - handle_iptable + handle_iptable bridge fi log debug "Successful vif-openvswitch $command for $dev." -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.