From c05903b2d032c43e4a183a99da4d15ffdeacd5e6 Mon Sep 17 00:00:00 2001
From: Chiradeep Vittal <chiradeep@cloud.com>
Date: Tue, 1 Nov 2011 18:22:06 -0700
Subject: [PATCH] bug 11302: support new CSP for SP2. conditional check :
 --match-set vs --set forgot to merge this in from 2.2.y

---
 scripts/vm/hypervisor/xenserver/vmops | 31 +++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 44838ad2cbf..1f06572cbc2 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -1151,6 +1151,29 @@ def remove_rule_log_for_vm(vmName):
 def inflate_rules (zipped):
    return zlib.decompress(base64.b64decode(zipped))
 
+@echo
+def get_ipset_keyword():
+    tmpname = 'ipsetqzvxtmp'
+    keyword = 'match-set'
+    try:
+        util.pread2(['/bin/bash', '-c', 'ipset -N ' + tmpname + ' iptreemap'])
+    except:
+        util.pread2(['/bin/bash', '-c', 'ipset -F ' + tmpname])
+
+    try:
+        util.pread2(['/bin/bash', '-c', 'iptables -A INPUT -m set --set ' + tmpname + ' src' + ' -j ACCEPT'])
+        util.pread2(['/bin/bash', '-c', 'iptables -D INPUT -m set --set ' + tmpname + ' src' + ' -j ACCEPT'])
+        keyword = 'set'
+    except:
+        keyword = 'match-set'
+    
+    try:
+       util.pread2(['/bin/bash', '-c', 'ipset -X ' + tmpname])
+    except:
+       pass
+
+    return keyword
+
 @echo
 def network_rules(session, args):
   try:
@@ -1214,7 +1237,7 @@ def network_rules(session, args):
     rules = args.pop('rules')
     if deflated.lower() == 'true':
        rules = inflate_rules (rules)
-   
+    keyword = '--' + get_ipset_keyword() 
     lines = rules.split(' ')
 
     util.SMlog("Programming network rules for vm  %s seqno=%s numrules=%s signature=%s guestIp=%s,"\
@@ -1258,14 +1281,14 @@ def network_rules(session, args):
                 util.SMlog(" failed to create ipset for rule " + str(tokens))
 
             if protocol == 'all':
-                iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, direction, '-j', action]
+                iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', keyword, ipsetname, direction, '-j', action]
             elif protocol != 'icmp':
-                iptables = ['iptables', '-I', vmchain, '-p',  protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, direction, '-j', action]
+                iptables = ['iptables', '-I', vmchain, '-p',  protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', keyword, ipsetname, direction, '-j', action]
             else:
                 range = start + "/" + end
                 if start == "-1":
                     range = "any"
-                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', '--match-set', ipsetname, direction, '-j', action]
+                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', keyword, ipsetname, keyword, '-j', action]
             cmds.append(iptables)
             util.SMlog(iptables)