bug 11302: dont allow stuff like BPDUS, don't allow vms to connect to hypervisor

scripts/vm/hypervisor/xenserver/vmops

@@ -1,5 +1,5 @@
 #!/usr/bin/python
-# Version 2.2.13.20111117130644
+# Version @VERSION@
 #
 # A plugin for executing script needed by vmops cloud 
 
@@ -386,7 +386,6 @@ def can_bridge_firewall(session, args):
         util.pread2(['iptables', '-D', 'FORWARD',  '-j', 'RH-Firewall-1-INPUT'])
     except:
         util.SMlog('Chain BRIDGE-FIREWALL already exists')
-    default_ebtables_rules()
     privnic = get_private_nic(session, args)
     result = 'true'
     try:
@@ -397,7 +396,8 @@ def can_bridge_firewall(session, args):
             util.pread2(['iptables', '-A', 'FORWARD', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', privnic, '-j', 'ACCEPT'])
             util.pread2(['iptables', '-A', 'FORWARD', '-j', 'DROP'])
         except:
-            result = 'false'
+            return 'false'
+    default_ebtables_rules()
     allow_egress_traffic(session)
     if not os.path.exists('/var/run/cloud'):
         os.makedirs('/var/run/cloud')
@@ -426,11 +426,20 @@ def default_ebtables_rules():
         util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES', '-p', 'IPv6', '-j', 'DROP'])
         # deny vlan
         util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES', '-p', '802_1Q', '-j', 'DROP'])
-        # deny all other 802. frames
-        util.pread2(['ebtables', '-A', 'FORWARD', '-j', 'DROP'])
+        # deny all others (e.g., 802.1d, CDP)
+        util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES',  '-j', 'DROP'])
     except:
         util.SMlog('Chain DEFAULT_EBTABLES already exists')
 
+    #deny traffic from vms into hypervisor. Note: does not protect from vms in other pods
+    try:
+        util.pread2(['ebtables', '-D',  'INPUT', '-s', '6:0:0:0:0:0/ff:0:0:0:0:0', '-j', 'DROP'])
+    except:
+        pass
+
+    util.pread2(['ebtables', '-A',  'INPUT', '-s', '6:0:0:0:0:0/ff:0:0:0:0:0', '-j', 'DROP'])
+    
+
 @echo
 def allow_egress_traffic(session):
     devs = []