[Xen-devel] [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain

[Teck Choon Giam <giamteckchoon@xxxxxxxxx>]

Hi Xen Development Team,

I submit the below patch for your consideration.  This is useful if
antispoof is enabled and tap network devices are used. i.e. HVM
windows.

--- vif-common.sh.orig  2009-07-07 19:09:39.000000000 +0800
+++ vif-common.sh       2009-07-07 19:19:42.000000000 +0800
@@ -73,6 +73,21 @@
     local c="-D"
   fi

+  # Added support for tap network devices in iptables FORWARD chain as this
+  # is required if antispoof is enabled or otherwise all packets to/from tap
+  # devices will be dropped.
+  # Start adding by Giam Teck Choon.
+  local tapif=`echo $vif | sed 's/vif/tap/'`
+  local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+
+  if [ -n "$checktapif" ] ; then
+    iptables "$c" FORWARD -m physdev --physdev-in "$tapif" "$@" -j ACCEPT \
+      2>/dev/null &&
+    iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+      --physdev-out "$tapif" -j ACCEPT 2>/dev/null
+  fi
+  # End adding by Giam Teck Choon.
+
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
     2>/dev/null &&
   iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \


Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel