bug 11302: support new CSP for SP2.

conditional check : --match-set vs --set forgot to merge this in from 2.2.y
2025-11-02 20:02:29 +01:00 · 2011-11-01 18:22:06 -07:00 · 2011-11-01 18:22:06 -07:00 · c05903b2d0
commit c05903b2d0
parent d12343b132
1 changed files with 27 additions and 4 deletions
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@ -1151,6 +1151,29 @@ def remove_rule_log_for_vm(vmName):
 def inflate_rules (zipped):
   return zlib.decompress(base64.b64decode(zipped))

+@echo
+def get_ipset_keyword():
+    tmpname = 'ipsetqzvxtmp'
+    keyword = 'match-set'
+    try:
+        util.pread2(['/bin/bash', '-c', 'ipset -N ' + tmpname + ' iptreemap'])
+    except:
+        util.pread2(['/bin/bash', '-c', 'ipset -F ' + tmpname])
+
+    try:
+        util.pread2(['/bin/bash', '-c', 'iptables -A INPUT -m set --set ' + tmpname + ' src' + ' -j ACCEPT'])
+        util.pread2(['/bin/bash', '-c', 'iptables -D INPUT -m set --set ' + tmpname + ' src' + ' -j ACCEPT'])
+        keyword = 'set'
+    except:
+        keyword = 'match-set'
+    
+    try:
+       util.pread2(['/bin/bash', '-c', 'ipset -X ' + tmpname])
+    except:
+       pass
+
+    return keyword
+
@echo
 def network_rules(session, args):
  try:
@ -1214,7 +1237,7 @@ def network_rules(session, args):
    rules = args.pop('rules')
    if deflated.lower() == 'true':
       rules = inflate_rules (rules)
-   
+    keyword = '--' + get_ipset_keyword() 
    lines = rules.split(' ')

    util.SMlog("Programming network rules for vm  %s seqno=%s numrules=%s signature=%s guestIp=%s,"\
@ -1258,14 +1281,14 @@ def network_rules(session, args):
                util.SMlog(" failed to create ipset for rule " + str(tokens))

            if protocol == 'all':
-                iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, direction, '-j', action]
+                iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', keyword, ipsetname, direction, '-j', action]
            elif protocol != 'icmp':
-                iptables = ['iptables', '-I', vmchain, '-p',  protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, direction, '-j', action]
+                iptables = ['iptables', '-I', vmchain, '-p',  protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', keyword, ipsetname, direction, '-j', action]
            else:
                range = start + "/" + end
                if start == "-1":
                    range = "any"
-                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', '--match-set', ipsetname, direction, '-j', action]
+                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', keyword, ipsetname, keyword, '-j', action]
            cmds.append(iptables)
            util.SMlog(iptables)