Skip to content

Commit c7766ea

Browse files
author
Naredula Janardhana Reddy
committed
bug 10617: kvm related changes.
1 parent de86e30 commit c7766ea

1 file changed

Lines changed: 5 additions & 3 deletions

File tree

scripts/vm/network/security_group.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -239,11 +239,12 @@ def default_network_rules_systemvm(vm_name, brname):
239239
try:
240240
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
241241
execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain)
242+
execute("iptables -A " + vmchain + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j RETURN")
242243
except:
243244
logging.debug("Failed to program default rules")
244245
return 'false'
245246

246-
execute("iptables -A " + vmchain + " -j RETURN")
247+
execute("iptables -A " + vmchain + " -j ACCEPT")
247248

248249
if write_rule_log_for_vm(vm_name, '-1', '_ignore_', domid, '_initial_', '-1') == False:
249250
logging.debug("Failed to log default network rules for systemvm, ignoring")
@@ -617,13 +618,14 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
617618
ips = cidrs.split(",")
618619
ips.pop()
619620
allow_any = False
620-
action = "RETURN"
621621
if ruletype == 'E':
622622
vmchain = egress_chain_name(vm_name)
623623
direction = "-d"
624+
action = "RETURN"
624625
egressrule = egressrule + 1
625626
else:
626627
vmchain = vm_name
628+
action = "ACCEPT"
627629
direction = "-s"
628630
if '0.0.0.0/0' in ips:
629631
i = ips.index('0.0.0.0/0')
@@ -730,8 +732,8 @@ def addFWFramework(brname):
730732
execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
731733
phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip()
732734
execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
733-
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout)
734735
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin)
736+
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout)
735737
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT")
736738

737739

0 commit comments

Comments
 (0)