commit b148b222281fd5c23cee7e38c853cd6584a22efa
Author: Ondrej Lichtner <olichtne(a)redhat.com>
Date: Mon May 27 15:53:23 2013 +0200
VirtUtils: bridge initialization adds iptables rules
When creating virtual networks we are using bridge interfaces on the
host machine. The default behaviour of these bridges is to filter
packets through iptables, which resulted in IPv6 communication being
blocked. This commit fixes that by adding iptable calls to the bridge
initialization. Every newly created bridge now works as an isolated
network.
From what I've seen these are the same rules added by libvirt when
creating an isolated network.
Signed-off-by: Ondrej Lichtner <olichtne(a)redhat.com>
Signed-off-by: Jiri Pirko <jiri(a)resnulli.us>
lnst/Common/VirtUtils.py | 28 ++++++++++++++++++++++++++++
1 files changed, 28 insertions(+), 0 deletions(-)
---
diff --git a/lnst/Common/VirtUtils.py b/lnst/Common/VirtUtils.py
index 71659ef..e13bfe2 100644
--- a/lnst/Common/VirtUtils.py
+++ b/lnst/Common/VirtUtils.py
@@ -36,6 +36,18 @@ def _brctl(cmd):
except ExecCmdFail as err:
raise VirtUtilsError("brctl error: %s" % err)
+def _iptables(cmd):
+ try:
+ exec_cmd("iptables %s" % cmd)
+ except ExecCmdFail as err:
+ raise VirtUtilsError("iptables error: %s" % err)
+
+def _ip6tables(cmd):
+ try:
+ exec_cmd("ip6tables %s" % cmd)
+ except ExecCmdFail as err:
+ raise VirtUtilsError("ip6tables error: %s" % err)
+
def _virsh(cmd):
try:
exec_cmd("virsh %s" % cmd, log_outputs=False)
@@ -233,6 +245,14 @@ class BridgeCtl(NetCtl):
def init(self):
if not self._exists():
_brctl("addbr %s" % self._name)
+ _iptables("-I FORWARD 1 -j REJECT -i %s -o any" % self._name)
+ _iptables("-I FORWARD 1 -j REJECT -i any -o %s" % self._name)
+ _iptables("-I FORWARD 1 -j ACCEPT -i %s -o %s" %
+ (self._name, self._name))
+ _ip6tables("-I FORWARD 1 -j REJECT -i %s -o any" % self._name)
+ _ip6tables("-I FORWARD 1 -j REJECT -i any -o %s" % self._name)
+ _ip6tables("-I FORWARD 1 -j ACCEPT -i %s -o %s" %
+ (self._name, self._name))
self._remove = True
_ip("link set %s up" % self._name)
@@ -241,3 +261,11 @@ class BridgeCtl(NetCtl):
if self._remove:
_ip("link set %s down" % self._name)
_brctl("delbr %s" % self._name)
+ _iptables("-D FORWARD -j REJECT -i %s -o any" % self._name)
+ _iptables("-D FORWARD -j REJECT -i any -o %s" % self._name)
+ _iptables("-D FORWARD -j ACCEPT -i %s -o %s" %
+ (self._name, self._name))
+ _ip6tables("-D FORWARD -j REJECT -i %s -o any" % self._name)
+ _ip6tables("-D FORWARD -j REJECT -i any -o %s" % self._name)
+ _ip6tables("-D FORWARD -j ACCEPT -i %s -o %s" %
+ (self._name, self._name))
Show replies by thread