diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops index 465a50413b2..dccad0f4d96 100755 --- a/scripts/vm/hypervisor/xenserver/vmops +++ b/scripts/vm/hypervisor/xenserver/vmops @@ -516,14 +516,23 @@ def destroy_network_rules_for_vm(session, args): delete_rules_for_vm_in_bridge_firewall_chain(vm_name) if vm_name.startswith('i-') or vm_name.startswith('r-'): vmchain = '-'.join(vm_name.split('-')[:-1]) + vmchain_default = '-'.join(vm_name.split('-')[:-2]) + "-def" destroy_ebtables_rules(vmchain) + try: + util.pread2(['iptables', '-F', vmchain_default]) + util.pread2(['iptables', '-X', vmchain_default]) + except: + util.SMlog("Ignoring failure to delete chain " + vmchain_default) + try: util.pread2(['iptables', '-F', vmchain]) util.pread2(['iptables', '-X', vmchain]) except: util.SMlog("Ignoring failure to delete chain " + vmchain) + + remove_rule_log_for_vm(vm_name) @@ -692,29 +701,46 @@ def default_network_rules(session, args): vm_name = '-'.join(vm_name.split('-')[:-1]) vmchain = vm_name + vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def" destroy_ebtables_rules(vm_name) - try: - util.pread2(['iptables', '-F', vmchain]) - util.pread2(['iptables', '-X', vmchain]) - except: - util.SMlog('Ignoring failure to delete old rules') try: util.pread2(['iptables', '-N', vmchain]) except: util.pread2(['iptables', '-F', vmchain]) + + try: + util.pread2(['iptables', '-N', vmchain_default]) + except: + util.pread2(['iptables', '-F', vmchain_default]) try: +<<<<<<< HEAD util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', vif, '-j', vmchain]) util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', vif, '-j', vmchain]) util.pread2(['iptables', '-A', vmchain, '-m', 'state', '--state', 'RELATED,ESTABLISHED', '-j', 'ACCEPT']) +======= + for v in vifs: + util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', v, '-j', vmchain_default]) + util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '-j', vmchain_default]) + util.pread2(['iptables', '-A', vmchain_default, '-m', 'state', '--state', 'RELATED,ESTABLISHED', '-j', 'ACCEPT']) +>>>>>>> 6fd5d61... dont wipe dhcp and antispoof rules every time #allow dhcp - util.pread2(['iptables', '-A', vmchain, '-p', 'udp', '--dport', '67:68', '--sport', '67:68', '-j', 'ACCEPT']) + for v in vifs: + util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '-p', 'udp', '--dport', '67', '--sport', '68', '-j', 'ACCEPT']) + util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', v, '-p', 'udp', '--dport', '68', '--sport', '67', '-j', 'ACCEPT']) + #don't let vm spoof its ip address +<<<<<<< HEAD util.pread2(['iptables', '-A', vmchain, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', vif, '--source', vm_ip, '-j', 'RETURN']) util.pread2(['iptables', '-A', vmchain, '-j', 'DROP']) +======= + for v in vifs: + util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '--source', vm_ip, '-j', 'RETURN']) + util.pread2(['iptables', '-A', vmchain_default, '-j', vmchain]) +>>>>>>> 6fd5d61... dont wipe dhcp and antispoof rules every time except: util.SMlog("Failed to program default rules for vm " + vm_name) return 'false' @@ -756,7 +782,7 @@ def check_domid_changed(session, vmName): def delete_rules_for_vm_in_bridge_firewall_chain(vmName): vm_name = vmName if vm_name.startswith('i-') or vm_name.startswith('r-'): - vm_name = '-'.join(vm_name.split('-')[:-1]) + vm_name = '-'.join(vm_name.split('-')[:-2]) vmchain = vm_name @@ -802,13 +828,18 @@ def network_rules_for_rebooted_vm(session, vmName): except: pass vmchain = '-'.join(vm_name.split('-')[:-1]) + vmchain_default = '-'.join(vm_name.split('-')[:-2]) + "-def" + + for v in vifs: + util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', v, '-j', vmchain_default]) + util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '-j', vmchain_default]) - util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', vif, '-j', vmchain]) - util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', vif, '-j', vmchain]) #change antispoof rule in vmchain try: - delcmd = "iptables -S " + vmchain + " | grep physdev-in | sed 's/-A/-D/'" - inscmd = "iptables -S " + vmchain + " | grep physdev-in | sed -r 's/vif[0-9]+.0/" + vif + "/' | sed 's/-A/-I/'" + delcmd = "iptables -S " + vmchain_default + " | grep physdev-in | sed 's/-A/-D/'" + inscmd = "iptables -S " + vmchain_default + " | grep physdev-in | grep vif | sed -r 's/vif[0-9]+.0/" + vif + "/' | sed 's/-A/-I/'" + inscmd2 = "iptables -S " + vmchain_default + " | grep physdev-in | grep tap | sed -r 's/tap[0-9]+.0/" + tap + "/' | sed 's/-A/-I/'" + ipts = [] for cmd in [delcmd, inscmd]: cmds = util.pread2(['/bin/bash', '-c', cmd]).split('\n') @@ -1095,9 +1126,12 @@ def network_rules(session, args): util.pread2(iptables) util.SMlog(iptables) +<<<<<<< HEAD util.pread2(['iptables', '-A', vmchain, '-p', 'udp', '--dport', '67:68', '--sport', '67:68', '-j', 'ACCEPT']) util.pread2(['iptables', '-I', vmchain, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', vif, '--source', vm_ip, '-j', 'RETURN']) +======= +>>>>>>> 6fd5d61... dont wipe dhcp and antispoof rules every time util.pread2(['iptables', '-A', vmchain, '-j', 'DROP']) if write_rule_log_for_vm(vmName, vm_id, vm_ip, domid, signature, seqno) == False: