[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] vif-common.sh to support tap network devices in iptables FORWARD chain
Hi Xen Development Team, I submit the below patch for your consideration. This is useful if antispoof is enabled and tap network devices are used. i.e. HVM windows. --- vif-common.sh.orig 2009-07-07 19:09:39.000000000 +0800 +++ vif-common.sh 2009-07-07 19:19:42.000000000 +0800 @@ -73,6 +73,21 @@ local c="-D" fi + # Added support for tap network devices in iptables FORWARD chain as this + # is required if antispoof is enabled or otherwise all packets to/from tap + # devices will be dropped. + # Start adding by Giam Teck Choon. + local tapif=`echo $vif | sed 's/vif/tap/'` + local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep` + + if [ -n "$checktapif" ] ; then + iptables "$c" FORWARD -m physdev --physdev-in "$tapif" "$@" -j ACCEPT \ + 2>/dev/null && + iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ + --physdev-out "$tapif" -j ACCEPT 2>/dev/null + fi + # End adding by Giam Teck Choon. + iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ 2>/dev/null && iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ Thanks. Kindest regards, Giam Teck Choon _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |