tools: dom0 iptables rule ordering change

This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.

First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules.  This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.

Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow.  This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.

Signed-off-by: Chris Bookholt <hap10@tycho.ncsc.mil>

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index ee67ee2aaa85d1c684ac5bef71f6c195e2a05e02..5c1e9c3ea58fc26ef4747eb8a1c7813a511bd5a9 100644 (file)
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -68,17 +68,20 @@ frob_iptable()
 {
   if [ "$command" == "online" ]
   then
-    local c="-A"
+    local c="-I"
   else
     local c="-D"
   fi
 
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null ||
-    [ "$c" == "-D" ] ||
-    log err \
-     "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed.
-If you are using iptables, this may affect networking for guest domains."
+    2>/dev/null &&
+  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+
+  if [ "$command" == "online" ] && [ $? ]
+  then
+    log err "iptables setup failed. This may affect guest networking."
+  fi
 }