etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-4750 

use interface wildcard "+" in iptables to cover potential used VLAN interface to allow output on physical interface.

you will see
 0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out bond2+ --physdev-is-bridged
instead of
 0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out bond2.1234 --physdev-is-bridged

Anthony
This commit is contained in:
Anthony Xu 2013-10-30 15:12:21 -07:00
parent 9d2271d115
commit 27294a3827
1 changed files with 1 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
scripts/vm/hypervisor/xenserver/vmops
View File

@ -495,12 +495,8 @@ def allow_egress_traffic(session):
devs = []
for pif in session.xenapi.PIF.get_all():
pif_rec = session.xenapi.PIF.get_record(pif)
vlan = pif_rec.get('VLAN')
dev = pif_rec.get('device')
if vlan == '-1':
devs.append(dev)
else:
devs.append(dev + "." + vlan)
devs.append(dev + "+")
for d in devs:
try:
util.pread2(['/bin/bash', '-c', "iptables -n -L FORWARD | grep '%s '" % d])
@ -804,8 +800,6 @@ def default_network_rules_systemvm(session, args):
except:
util.pread2(['iptables', '-F', vmchain])
allow_egress_traffic(session)
for vif in vifs:
try:
util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', vif, '-j', vmchain])