From 37cb0ae2c942f242edcea477ed09fa335690cb13 Mon Sep 17 00:00:00 2001
From: Edison Su <edison@cloud.com>
Date: Wed, 16 Feb 2011 19:54:30 -0500
Subject: [PATCH] add security group for direct tagged vlan

---
 .../computing/LibvirtComputingResource.java   |  86 ++++----
 .../computing/LibvirtDomainXMLParser.java     | 201 +++++++++++-------
 .../resource/computing/LibvirtVMDef.java      |   3 +
 scripts/vm/network/security_group.py          |  94 ++++----
 .../src/com/cloud/vm/UserVmManagerImpl.java   |   2 +-
 5 files changed, 229 insertions(+), 157 deletions(-)

diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
index cfba9b30b04..0fcec2555c4 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
@@ -1500,7 +1500,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 	private AttachVolumeAnswer execute(AttachVolumeCommand cmd) {
 		try {
 			Connect conn = LibvirtConnection.getConnection();
-			attachOrDetachDisk(conn, cmd.getAttach(), cmd.getVmName(), cmd.getVolumePath());
+			attachOrDetachDisk(conn, cmd.getAttach(), cmd.getVmName(), cmd.getVolumePath(), cmd.getDeviceId().intValue());
 		} catch (LibvirtException e) {
 			return new AttachVolumeAnswer(cmd, e.toString());
 		} catch (InternalErrorException e) {
@@ -1766,12 +1766,12 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 			LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
 			String xml = dm.getXMLDesc(0);
 			parser.parseDomainXML(xml);
-			List<String> nics = parser.getInterfaces();
+			List<InterfaceDef> nics = parser.getInterfaces();
 			if (nics.size() != 3) {
 				return new Answer(cmd, false, vmName + " doesn't have public nic");
 			}
-			String pubNic = nics.get(2);
-			Pair<Double, Double> nicStats = getNicStats(pubNic);
+			InterfaceDef pubNic = nics.get(2);
+			Pair<Double, Double> nicStats = getNicStats(pubNic.getBrName());
 			/*Note: received means bytes received by all the vms, but from host kernel's pov, it's tx*/
 			return new NetworkUsageAnswer(cmd, "", nicStats.first().longValue(), nicStats.second().longValue());
 		} catch (LibvirtException e) {
@@ -2045,20 +2045,29 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 			startDomain(conn, vmName, vm.toString());
 			
 			if (vmSpec.getType() != VirtualMachine.Type.User) {
-				default_network_rules_for_systemvm(vmName);
+			    default_network_rules_for_systemvm(vmName);
 			} else {
 			    NicTO[] nics = vmSpec.getNics();
+			    List<InterfaceDef> vifs = getInterfaces(conn, vmName);
+			    StringBuilder rules = new StringBuilder();
+			    
 			    for (NicTO nic : nics) { 
-			        if (nic.getIsolationUri() != null && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString())) {
-			            default_network_rules(vmName, vmSpec.getNics()[0].getIp(), vmSpec.getId(), vmSpec.getNics()[0].getMac());
+			        if (nic.getIsolationUri() != null ) {
+			            if (nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString()) ||
+			                nic.getType() == TrafficType.Public) {
+			                rules.append(nic.getIp() + "," + nic.getMac() + "," + vifs.get(nic.getDeviceId()).getDevName() + ";") ;
+			            }
 			        }
 			    }
+			    
+			    if (rules.toString() != null)
+			        default_network_rules(vmName, vmSpec.getId(), rules.toString());
 			}
 
 			// Attach each data volume to the VM, if there is a deferred attached disk
 			for (DiskDef disk : vm.getDevices().getDisks()) {
 				if (disk.isAttachDeferred()) {
-					attachOrDetachDisk(conn, true, vmName, disk.getDiskPath());
+					attachOrDetachDisk(conn, true, vmName, disk.getDiskPath(), disk.getDiskSeq());
 				}
 			}
 			state = State.Running;
@@ -2247,16 +2256,15 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 		return attachOrDetachDevice(conn, true, vmName, isoXml);
 	}
 	
-	protected synchronized String attachOrDetachDisk(Connect conn, boolean attach, String vmName, String sourceFile) throws LibvirtException, InternalErrorException {
-		String diskDev = null;
-		SortedMap<String, String> diskMaps = null;
+	protected synchronized String attachOrDetachDisk(Connect conn, boolean attach, String vmName, String sourceFile, int devId) throws LibvirtException, InternalErrorException {
+		List<DiskDef> disks = null;
 		Domain dm = null;
 		try {
 			dm = conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
 			LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
 			String xml = dm.getXMLDesc(0);
 			parser.parseDomainXML(xml);
-			diskMaps = parser.getDiskMaps();
+			disks = parser.getDisks();
 		} catch (LibvirtException e) {
 			throw e;
 		} finally {
@@ -2265,32 +2273,26 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 			}
 		}
 
-		if (attach) {
-			diskDev = diskMaps.lastKey();
-			/*Find the latest disk dev, and add 1 on it: e.g. if we already attach sdc to a vm, the next disk dev is sdd*/
-			diskDev = diskDev.substring(0, diskDev.length() - 1) + (char)(diskDev.charAt(diskDev.length() -1) + 1);
-		} else {
-			Set<Map.Entry<String, String>> entrySet = diskMaps.entrySet();
-			Iterator<Map.Entry<String, String>> itr = entrySet.iterator();
-			while (itr.hasNext()) {
-				Map.Entry<String, String> entry = itr.next();
-				if ((entry.getValue() != null) && (entry.getValue().equalsIgnoreCase(sourceFile))) {
-					diskDev = entry.getKey();
-					break;
-				}
-			}
+		if (!attach) {
+		    boolean diskAttached = false;
+
+		    for (DiskDef disk : disks) {
+		        if (disk.getDiskPath().equalsIgnoreCase(sourceFile)) {
+		            devId = disk.getDiskSeq();
+		            diskAttached = true;
+		        }
+		    }
+		    if (!diskAttached) {
+		        throw new InternalErrorException("disk: " + sourceFile + " is not attached before");
+		    }
 		}
 
-		if (diskDev == null) {
-			s_logger.warn("Can't get disk dev");
-			return "Can't get disk dev";
-		}
 		DiskDef disk = new DiskDef();
 		String guestOSType = getGuestType(conn, vmName);
 		if (isGuestPVEnabled(guestOSType)) {
-			disk.defFileBasedDisk(sourceFile, diskDev, DiskDef.diskBus.VIRTIO, DiskDef.diskFmtType.QCOW2);
+			disk.defFileBasedDisk(sourceFile, devId, DiskDef.diskBus.VIRTIO, DiskDef.diskFmtType.QCOW2);
 		} else {
-			disk.defFileBasedDisk(sourceFile, diskDev, DiskDef.diskBus.SCSI, DiskDef.diskFmtType.QCOW2);
+			disk.defFileBasedDisk(sourceFile, devId, DiskDef.diskBus.SCSI, DiskDef.diskFmtType.QCOW2);
 		}
 		String xml = disk.toString();
 		return attachOrDetachDevice(conn, attach, vmName, xml);
@@ -2993,18 +2995,20 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     	 return conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
     }
     
-    private  List<String> getInterfaces(Connect conn, String vmName) {
+    private  List<InterfaceDef> getInterfaces(Connect conn, String vmName) {
     	LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
     	Domain dm = null;
     	try {
     		dm =  conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
     		parser.parseDomainXML(dm.getXMLDesc(0));
+    	    return parser.getInterfaces();
+
     	} catch (LibvirtException e) {
     		s_logger.debug("Failed to get dom xml: " + e.toString());
-    		return new ArrayList<String>();
+    		return new ArrayList<InterfaceDef>();
     	} catch (Exception e) {
     		s_logger.debug("Failed to get dom xml: " + e.toString());
-    		return new ArrayList<String>();
+    		return new ArrayList<InterfaceDef>();
     	} finally {
     		try {
     		if (dm != null) {
@@ -3014,7 +3018,6 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     			
     		}
     	}
-    	return parser.getInterfaces();
     }
     
     private String executeBashScript(String script) {
@@ -3091,11 +3094,11 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 			
     		/*get network stats*/
 
-    		List<String> vifs = getInterfaces(conn, vmName);
+    		List<InterfaceDef> vifs = getInterfaces(conn, vmName);
     		long rx = 0;
     		long tx = 0;
-    		for (String vif : vifs) {
-    			DomainInterfaceStats ifStats = dm.interfaceStats(vif);
+    		for (InterfaceDef vif : vifs) {
+    			DomainInterfaceStats ifStats = dm.interfaceStats(vif.getDevName());
     			rx += ifStats.rx_bytes;
     			tx += ifStats.tx_bytes;
     		}
@@ -3145,16 +3148,15 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     	return true;
     }
     
-    private boolean default_network_rules(String vmName, String pubIP, long vmId, String mac) {
+    private boolean default_network_rules(String vmName, long vmId, String rules) {
     	if (!_can_bridge_firewall) {
             return false;
         }
     	Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
     	cmd.add("default_network_rules");
     	cmd.add("--vmname", vmName);
-    	cmd.add("--vmip", pubIP);
+    	cmd.add("--rules", rules);
     	cmd.add("--vmid", Long.toString(vmId));
-    	cmd.add("--vmmac", mac);
     	
     	String result = cmd.execute();
     	if (result != null) {
diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtDomainXMLParser.java b/agent/src/com/cloud/agent/resource/computing/LibvirtDomainXMLParser.java
index b5271c8e62c..d591b86f799 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtDomainXMLParser.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtDomainXMLParser.java
@@ -17,97 +17,152 @@
  */
 package com.cloud.agent.resource.computing;
 
+import java.io.IOException;
+import java.io.StringReader;
 import java.util.ArrayList;
+import java.util.List;
 import java.util.SortedMap;
 import java.util.TreeMap;
 
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.log4j.Logger;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
 import org.xml.sax.Attributes;
+import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import com.cloud.agent.resource.computing.LibvirtVMDef.DiskDef;
+import com.cloud.agent.resource.computing.LibvirtVMDef.InterfaceDef;
+import com.cloud.agent.resource.computing.LibvirtVMDef.InterfaceDef.nicModel;
+
 /**
  * @author chiradeep
  *
  */
-public class LibvirtDomainXMLParser extends LibvirtXMLParser {
-
-	private final ArrayList<String> interfaces = new ArrayList<String>();
-	private final SortedMap<String, String> diskMaps = new TreeMap<String, String>();
-	
-	private boolean _interface;
-	private boolean _disk;
-	private boolean _desc;
+public class LibvirtDomainXMLParser {
+    private static final Logger s_logger = Logger.getLogger(LibvirtDomainXMLParser.class);
+	private final List<InterfaceDef> interfaces = new ArrayList<InterfaceDef>();
+	private final List<DiskDef> diskDefs = new ArrayList<DiskDef>();
 	private Integer vncPort;
-	private String diskDev;
-	private String diskFile;
 	private String desc;
 	
+	public boolean parseDomainXML(String domXML) {
+	    DocumentBuilder builder;
+        try {
+            builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            
+            InputSource is = new InputSource();
+            is.setCharacterStream(new StringReader(domXML));
+            Document doc = builder.parse(is);
+            
+            Element rootElement = doc.getDocumentElement();
+            
+            desc = getTagValue("description", rootElement);
+            
+            Element devices = (Element)rootElement.getElementsByTagName("devices").item(0);
+            NodeList disks = devices.getElementsByTagName("disk");
+            for (int i = 0; i < disks.getLength(); i++) {
+                Element disk = (Element)disks.item(i);
+                String diskFmtType = getAttrValue("driver", "type", disk);
+                String diskFile = getAttrValue("source", "file", disk);
+                String diskLabel = getAttrValue("target", "dev", disk);
+                String bus = getAttrValue("target", "bus", disk);
+                String type = disk.getAttribute("type");
+                String device = disk.getAttribute("device");
+                
+                DiskDef def = new DiskDef();
+                if (type.equalsIgnoreCase("file")) {
+                    if (device.equalsIgnoreCase("disk")) {
+                        DiskDef.diskFmtType fmt = null;
+                        if (diskFmtType != null) {
+                            fmt = DiskDef.diskFmtType.valueOf(diskFmtType.toUpperCase());
+                        }
+                        def.defFileBasedDisk(diskFile, diskLabel, DiskDef.diskBus.valueOf(bus.toUpperCase()), fmt);
+                    } else if (device.equalsIgnoreCase("cdrom")) {
+                        def.defISODisk(diskFile);
+                    }
+                }
+                diskDefs.add(def);
+            }
+            
+            NodeList nics = devices.getElementsByTagName("interface");
+            for (int i = 0; i < nics.getLength(); i++ ) {
+                Element nic = (Element)nics.item(i);
+                
+                String type = nic.getAttribute("type");
+                String mac = getAttrValue("mac", "address", nic);
+                String dev = getAttrValue("target", "dev", nic);
+                String model = getAttrValue("model", "type", nic);
+                InterfaceDef def = new InterfaceDef();
+
+                if (type.equalsIgnoreCase("network")) {
+                    String network = getAttrValue("source", "network", nic);
+                    def.defPrivateNet(network, dev, mac, nicModel.valueOf(model.toUpperCase()));
+                } else if (type.equalsIgnoreCase("bridge")) {
+                    String bridge = getAttrValue("source", "bridge", nic);
+                    def.defBridgeNet(bridge, dev, mac, nicModel.valueOf(model.toUpperCase()));
+                }
+                interfaces.add(def);
+            }
+            
+            Element graphic = (Element)devices.getElementsByTagName("graphics").item(0);
+            String port = graphic.getAttribute("port");
+            if (port != null) {
+                try {
+                    vncPort = Integer.parseInt(port);
+                    if (vncPort != -1) {
+                        vncPort = vncPort - 5900;
+                    } else {
+                        vncPort = null;
+                    }
+                }catch (NumberFormatException nfe){
+                    vncPort = null;
+                }
+            }
+
+            return true;
+        } catch (ParserConfigurationException e) {
+          s_logger.debug(e.toString());
+        } catch (SAXException e) {
+            s_logger.debug(e.toString());
+        } catch (IOException e) {
+            s_logger.debug(e.toString());
+        }
+        return false;
+	}
+	
+	 private static String getTagValue(String tag, Element eElement){
+	        NodeList nlList= eElement.getElementsByTagName(tag).item(0).getChildNodes();
+	        Node nValue = (Node) nlList.item(0); 
+	     
+	        return nValue.getNodeValue();    
+	     }
+	    
+	    private static String getAttrValue(String tag, String attr, Element eElement){
+	        NodeList tagNode = eElement.getElementsByTagName(tag);
+	        if (tagNode.getLength() == 0) {
+	            return null;
+	        }
+	        Element node = (Element)tagNode.item(0);
+	        return node.getAttribute(attr);
+	     }
+	
 	public Integer getVncPort() {
 		return vncPort;
 	}
 	
-	public void characters(char[] ch, int start, int length) throws SAXException {
-		if (_desc) {
-			desc = new String(ch, start, length);
-		}
-	}
-	
-	@Override
-    public void startElement(String uri, String localName, String qName,
-			Attributes attributes) throws SAXException {
-				if(qName.equalsIgnoreCase("interface")) {
-					_interface = true;
-				} else if (qName.equalsIgnoreCase("target")){
-					if (_interface)
-						interfaces.add(attributes.getValue("dev"));
-					else if (_disk)
-						diskDev = attributes.getValue("dev");
-				} else if (qName.equalsIgnoreCase("source")){
-					if (_disk)
-						diskFile = attributes.getValue("file");
-				} else if (qName.equalsIgnoreCase("disk")) {
-					_disk = true;
-				} else if (qName.equalsIgnoreCase("graphics")) {
-					String port = attributes.getValue("port");
-					if (port != null) {
-						try {
-							vncPort = Integer.parseInt(port);
-							if (vncPort != -1) {
-								vncPort = vncPort - 5900;
-							} else {
-								vncPort = null;
-							}
-						}catch (NumberFormatException nfe){
-							vncPort = null;
-						}
-					}
-				} else if (qName.equalsIgnoreCase("description")) {
-					_desc = true;
-				}
-			}
-
-	@Override
-    public void endElement(String uri, String localName, String qName)
-			throws SAXException {
-			
-				if(qName.equalsIgnoreCase("interface")) {
-					_interface = false;
-				} else if (qName.equalsIgnoreCase("disk")) {
-					diskMaps.put(diskDev, diskFile);
-					_disk = false;
-					diskFile = null;
-					diskDev = null;
-				} else if (qName.equalsIgnoreCase("description")) {
-					_desc = false;
-				}
-				
-			}
-
-	public ArrayList<String> getInterfaces() {
+	public List<InterfaceDef> getInterfaces() {
 		return interfaces;
 	}
 	
-	public SortedMap<String, String> getDiskMaps() {
-		return diskMaps;
+	public List<DiskDef> getDisks() {
+		return diskDefs;
 	}
 	
 	public String getDescription() {
@@ -140,6 +195,7 @@ public class LibvirtDomainXMLParser extends LibvirtXMLParser {
 				  "<devices>"+
 				    "<emulator>/usr/bin/qemu-kvm</emulator>"+
 				    "<disk type='file' device='disk'>"+
+				      "<driver name='qemu' type='raw'/>"+
 				      "<source file='/mnt/tank//vmops/CV/vm/u000004/r000006/rootdisk'/>"+
 				      "<target dev='hda' bus='ide'/>"+
 				    "</disk>"+
@@ -170,9 +226,12 @@ public class LibvirtDomainXMLParser extends LibvirtXMLParser {
 				"</domain>"
 
 		);
-		for (String intf: parser.getInterfaces()){
+		for (InterfaceDef intf: parser.getInterfaces()){
 			System.out.println(intf);
 		}
+		for (DiskDef disk : parser.getDisks()) {
+		    System.out.println(disk);
+		}
 		System.out.println(parser.getVncPort());
 		System.out.println(parser.getDescription());
 	}
diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java b/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java
index 48cf88a5fc7..092468b04d6 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java
@@ -483,6 +483,9 @@ public class LibvirtVMDef {
 		public guestNetType getNetType() {
 			return _netType;
 		}
+		public String getDevName() {
+		    return _networkName;
+		}
 		
 		@Override
         public String toString() {
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index e8597a2c7e0..45e0a7304f2 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -156,9 +156,10 @@ def destroy_ebtables_rules(vm_name):
         except:
             logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_name)   
 
-def default_ebtables_rules(vm_name, vif, vm_ip, vm_mac):
+def default_ebtables_rules(vm_name, rules):
     vmchain_in = vm_name + "-in"
     vmchain_out = vm_name + "-out"
+    rule = rules.split(";")[:-1]
     
     for chain in [vmchain_in, vmchain_out]:
         try:
@@ -168,30 +169,39 @@ def default_ebtables_rules(vm_name, vif, vm_ip, vm_mac):
 
     try:
         # -s ! 52:54:0:56:44:32 -j DROP 
-        execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " +  vmchain_in)
-        execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out)
+        for r in rule:
+            vif = r.split(",")[2]
+            execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " +  vmchain_in)
+            execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out)
     except:
         logging.debug("Failed to program default rules")
         return 'false'
     
     try:
-        execute("ebtables -t nat -A " +  vmchain_in + " -i " + vif + " -s ! " +  vm_mac + " -j DROP")
-        execute("ebtables -t nat -A " +  vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP")
-        execute("ebtables -t nat -A " +  vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP")
-        execute("ebtables -t nat -A " + vmchain_in +  " -p ARP --arp-ip-src ! " + vm_ip + " -j DROP") 
-        execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT")   
-        execute("ebtables -t nat -A " + vmchain_in  + " -p ARP --arp-op Reply -j ACCEPT")    
-        execute("ebtables -t nat -A " + vmchain_in + " -p ARP  -j DROP")    
+        for r in rule:
+            vm_ip = r.split(",")[0]
+            vm_mac = r.split(",")[1]
+            vif = r.split(",")[2]
+            execute("ebtables -t nat -A " +  vmchain_in + " -i " + vif + " -s ! " +  vm_mac + " -j DROP")
+            execute("ebtables -t nat -A " +  vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP")
+            execute("ebtables -t nat -A " +  vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP")
+            execute("ebtables -t nat -A " + vmchain_in +  " -p ARP --arp-ip-src ! " + vm_ip + " -j DROP") 
+            execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT")   
+            execute("ebtables -t nat -A " + vmchain_in  + " -p ARP --arp-op Reply -j ACCEPT")    
+            execute("ebtables -t nat -A " + vmchain_in + " -p ARP  -j DROP")    
     except:
         logging.exception("Failed to program default ebtables IN rules")
         return 'false'
    
     try:
-        execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply --arp-mac-dst ! " +  vm_mac + " -j DROP")
-        execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-ip-dst ! " + vm_ip + " -j DROP") 
-        execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Request -j ACCEPT")   
-        execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply -j ACCEPT")    
-        execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j DROP")    
+        for r in rule:
+            vm_ip = r.split(",")[0]
+            vm_mac = r.split(",")[1]
+            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply --arp-mac-dst ! " +  vm_mac + " -j DROP")
+            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-ip-dst ! " + vm_ip + " -j DROP") 
+            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Request -j ACCEPT")   
+            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply -j ACCEPT")    
+            execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j DROP")    
     except:
         logging.debug("Failed to program default ebtables OUT rules")
         return 'false' 
@@ -225,10 +235,7 @@ def default_network_rules_systemvm(vm_name):
     return 'true'
 
 
-def default_network_rules(vm_name, vm_ip, vm_id, vm_mac):
-    print vm_name 
-    print vm_ip 
-    print vm_mac
+def default_network_rules(vm_name, vm_id, rules):
     vmName = vm_name 
     domID = getvmId(vm_name)
     delete_rules_for_vm_in_bridge_firewall_chain(vmName)
@@ -236,8 +243,6 @@ def default_network_rules(vm_name, vm_ip, vm_id, vm_mac):
     vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def"
     
     destroy_ebtables_rules(vmName)
-    
-    vifs = getVifs(vmName)
 
     try:
         execute("iptables -N " + vmchain)
@@ -249,29 +254,35 @@ def default_network_rules(vm_name, vm_ip, vm_id, vm_mac):
     except:
         execute("iptables -F " + vmchain_default)
 
+    rule = rules.split(";")[:-1]
     try:
-        for v in vifs:
-            execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-out " + v + " -j " +  vmchain_default)
-            execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-in " +  v + " -j " + vmchain_default)
+        for r in rule:
+            vif = r.split(",")[2] 
+            execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " +  vmchain_default)
+            execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-in " +  vif + " -j " + vmchain_default)
         execute("iptables -A  " + vmchain_default + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
         #allow dhcp
-        for v in vifs:
-            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + v + " -p udp --dport 67 --sport 68 -j ACCEPT")
-            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + v + " -p udp --dport 68 --sport 67  -j ACCEPT")
+        for r in rule:
+            vif = r.split(",")[2] 
+            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -p udp --dport 67 --sport 68 -j ACCEPT")
+            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -p udp --dport 68 --sport 67  -j ACCEPT")
 
         #don't let vm spoof its ip address
-        for v in vifs:
-            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + v  + " --source " +  vm_ip +  " -j RETURN")
+        for r in rule:
+            vmip = r.split(",")[0]
+            vif = r.split(",")[2] 
+            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif  + " --source " +  vmip +  " -j ACCEPT")
         execute("iptables -A " + vmchain_default + " -j " +  vmchain)
     except:
         logging.debug("Failed to program default rules for vm " + vm_name)
         return 'false'
     
-    for v in vifs:
-    	default_ebtables_rules(vmchain, v, vm_ip, vm_mac)
+    default_ebtables_rules(vmchain, rules)
     
-    if write_rule_log_for_vm(vmName, vm_id, vm_ip, domID, '_initial_', '-1') == False:
-        logging.debug("Failed to log default network rules, ignoring")
+    for r in rule:
+        vm_ip = r.split(",")[0]
+        if write_rule_log_for_vm(vmName, vm_id, vm_ip, domID, '_initial_', '-1') == False:
+            logging.debug("Failed to log default network rules, ignoring")
         
     logging.debug("Programmed default rules for vm " + vm_name)
     return 'true'
@@ -385,7 +396,7 @@ def check_rule_log_for_vm(vmName, vmId, vmIP, domID, signature, seqno):
         lines = (line.rstrip() for line in open(logfilename))
     except:
         logging.debug("failed to open " + logfilename) 
-        return False
+        return [True, True, True, True, True, True]
 
     [_vmName,_vmID,_vmIP,_domID,_signature,_seqno] = ['_', '-1', '_', '-1', '_', '-1']
     try:
@@ -395,7 +406,7 @@ def check_rule_log_for_vm(vmName, vmId, vmIP, domID, signature, seqno):
     except:
         logging.debug("Failed to parse log file for vm " + vm_name)
         remove_rule_log_for_vm(vm_name)
-        return False
+        return [True, True, True, True, True, True]
     
     return [(vm_name != _vmName), (vmId != _vmID), (vmIP != _vmIP), (domID != _domID), (signature != _signature),(seqno != _seqno)]
 
@@ -436,22 +447,18 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
     domId = getvmId(vmName)
     vmchain = vm_name
     
+    changes = []
     changes = check_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno)
     
     if not 1 in changes:
         logging.debug("Rules already programmed for vm " + vm_name)
         return 'true'
     
-    if changes[1] or changes[2] or changes[3]:
-        logging.debug("Change detected in vmId or vmIp or domId, resetting default rules")
-        default_network_rules(vmName, vm_ip, vm_id, vmMac)
-        
     if rules == "" or rules == None:
 	return 'true'
 
-    lines = rules.split(';')
+    lines = rules.split(';')[:-1]
 
-    print lines
     logging.debug("    programming network rules for  IP: " + vm_ip + " vmname=" + vm_name)
     #iptables('-F', vmchain)
     
@@ -535,12 +542,13 @@ if __name__ == '__main__':
     parser.add_option("--sig", dest="sig")
     parser.add_option("--seq", dest="seq")
     parser.add_option("--rules", dest="rules")
+    parser.add_option("--phynic", dest="phynic")
     (option, args) = parser.parse_args()
     cmd = args[0]
     if cmd == "can_bridge_firewall":
         can_bridge_firewall(args[1])
     elif cmd == "default_network_rules":
-        default_network_rules(option.vmName, option.vmIP, option.vmID, option.vmMAC)
+        default_network_rules(option.vmName, option.vmID, option.rules)
     elif cmd == "destroy_network_rules_for_vm":
         destroy_network_rules_for_vm(option.vmName) 
     elif cmd == "default_network_rules_systemvm":
@@ -550,4 +558,4 @@ if __name__ == '__main__':
     elif cmd == "add_network_rules":
         add_network_rules(option.vmName, option.vmID, option.vmIP, option.sig, option.seq, option.vmMAC, option.rules)
     elif cmd == "cleanup_rules":
-	cleanup_rules()
+        cleanup_rules()
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index e221e58a0bf..53f32128a82 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2211,7 +2211,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
 		List<NicVO> nics = _nicDao.listByVmId(userVm.getId());
 		for (NicVO nic : nics) {
 			NetworkVO network = _networkDao.findById(nic.getNetworkId());
-			if (network.getTrafficType() == TrafficType.Guest) {
+			if (network.getTrafficType() == TrafficType.Guest || network.getTrafficType() == TrafficType.Public) {
 				userVm.setPrivateIpAddress(nic.getIp4Address());
 				userVm.setPrivateMacAddress(nic.getMacAddress());
 			}