CLOUDSTACK-4750

Anthony Xu · Anthony Xu · commit 27294a382757 · 2013-10-30T15:12:21.000-07:00
use interface wildcard "+" in iptables to cover potential used VLAN interface to allow output on physical interface.

you will see
 0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out bond2+ --physdev-is-bridged
instead of
 0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out bond2.1234 --physdev-is-bridged

Anthony
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
@@ -495,12 +495,8 @@ def allow_egress_traffic(session):
     devs = []
     for pif in session.xenapi.PIF.get_all():
         pif_rec = session.xenapi.PIF.get_record(pif)
-        vlan = pif_rec.get('VLAN')
         dev = pif_rec.get('device')
-        if vlan == '-1':
-            devs.append(dev)
-        else:
-            devs.append(dev + "." + vlan)
+        devs.append(dev + "+")
     for d in devs:
         try:
             util.pread2(['/bin/bash', '-c', "iptables -n -L FORWARD | grep '%s '" % d])
@@ -804,8 +800,6 @@ def default_network_rules_systemvm(session, args):
     except:
         util.pread2(['iptables', '-F', vmchain])
     
-    allow_egress_traffic(session)
-  
     for vif in vifs:
         try:
             util.pread2(['iptables', '-A', 'BRIDGE-FIREWALL', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', vif, '-j', vmchain])
