From 342d4d7592bb9c2b43e89780c7274615c2884100 Mon Sep 17 00:00:00 2001
From: Chiradeep Vittal <chiradeep@cloud.com>
Date: Thu, 5 Jan 2012 16:26:55 -0800
Subject: [PATCH] bug 12854: arp and ip antispoof independent of the order of
 vm start

---
 scripts/vm/hypervisor/xenserver/vmops | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 8c6e99f569a..ba89adca9e8 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -600,10 +600,12 @@ def default_ebtables_antispoof_rules(vm_chain, vifs, vm_ip, vm_mac):
             util.SMlog("Failed to create ebtables antispoof chain, skipping")
             return 'true'
 
+    # note all rules for packets into the bridge (-i) precede all output rules (-o)
+    # always start after the first rule in the FORWARD chain that jumps to DEFAULT_EBTABLES chain
     try:
         for vif in vifs:
             util.pread2(['ebtables', '-I', 'FORWARD', '2', '-i',  vif,  '-j', vm_chain])
-            util.pread2(['ebtables', '-I', 'FORWARD', '2', '-o',  vif, '-j', vm_chain])
+            util.pread2(['ebtables', '-A', 'FORWARD', '-o',  vif, '-j', vm_chain])
     except:
         util.SMlog("Failed to program default ebtables FORWARD rules for %s" % vm_chain)
         return 'false'
@@ -637,9 +639,10 @@ def default_arp_antispoof(vm_chain, vifs, vm_ip, vm_mac):
             util.SMlog("Failed to create arptables rule, skipping")
             return 'true'
 
+    # note all rules for packets into the bridge (-i) precede all output rules (-o)
     try:
         for vif in vifs:
-           util.pread2(['arptables',  '-A', 'FORWARD', '-i',  vif, '-j', vm_chain])
+           util.pread2(['arptables',  '-I', 'FORWARD', '-i',  vif, '-j', vm_chain])
            util.pread2(['arptables',  '-A', 'FORWARD', '-o',  vif, '-j', vm_chain])
     except:
         util.SMlog("Failed to program default arptables rules in FORWARD chain vm=" + vm_chain)
@@ -775,6 +778,8 @@ def default_network_rules(session, args):
         #don't let vm spoof its ip address
         for v in vifs:
             util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '--source', vm_ip, '-j', 'RETURN'])
+            util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '--source', '!', vm_ip, '-j', 'DROP'])
+            util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', v, '--destination', '!', vm_ip, '-j', 'DROP'])
         util.pread2(['iptables', '-A', vmchain_default, '-j', vmchain])
     except:
         util.SMlog("Failed to program default rules for vm " + vm_name)