use vpn filter in basic filtering so cloudpipe works with iptables driver

author: Vishvananda Ishaya <vishvananda@gmail.com> 2011-04-21 07:39:49 -0700
committer: Vishvananda Ishaya <vishvananda@gmail.com> 2011-04-21 07:39:49 -0700
commit: 2d82195d59240ea53d4726879d2a28a5872e58f7 (patch)
tree: 7ad4ace021a0a570fde8d8f90ffc740a5314bf22 /nova
parent: e6b76ce6886a1404739a972d106248a67df4f02a (diff)
1 files changed, 8 insertions, 10 deletions
diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py
index 9c8d64446..3dcb8ae42 100644
--- a/nova/virt/libvirt_conn.py
+++ b/nova/virt/libvirt_conn.py
@@ -1734,11 +1734,16 @@ class NWFilterFirewall(FirewallDriver):
         logging.info('ensuring static filters')
         self._ensure_static_filters()
 
+        if instance['image_id'] == str(FLAGS.vpn_image_id):
+            base_filter = 'nova-vpn'
+        else:
+            base_filter = 'nova-base'
+
         for (network, mapping) in network_info:
             nic_id = mapping['mac'].replace(':', '')
             instance_filter_name = self._instance_filter_name(instance, nic_id)
             self._define_filter(self._filter_container(instance_filter_name,
-                                                       ['nova-base']))
+                                                       [base_filter]))
 
     def _ensure_static_filters(self):
         if self.static_filters_configured:
@@ -1749,11 +1754,12 @@ class NWFilterFirewall(FirewallDriver):
                                                     'no-ip-spoofing',
                                                     'no-arp-spoofing',
                                                     'allow-dhcp-server']))
+        self._define_filter(self._filter_container('nova-vpn',
+                                                   ['allow-dhcp-server']))
         self._define_filter(self.nova_base_ipv4_filter)
         self._define_filter(self.nova_base_ipv6_filter)
         self._define_filter(self.nova_dhcp_filter)
         self._define_filter(self.nova_ra_filter)
-        self._define_filter(self.nova_vpn_filter)
         if FLAGS.allow_project_net_traffic:
             self._define_filter(self.nova_project_filter)
             if FLAGS.use_ipv6:
@@ -1767,14 +1773,6 @@ class NWFilterFirewall(FirewallDriver):
                  ''.join(["<filterref filter='%s'/>" % (f,) for f in filters]))
         return xml
 
-    nova_vpn_filter = '''<filter name='nova-vpn' chain='root'>
-                           <uuid>2086015e-cf03-11df-8c5d-080027c27973</uuid>
-                           <filterref filter='allow-dhcp-server'/>
-                           <filterref filter='nova-allow-dhcp-server'/>
-                           <filterref filter='nova-base-ipv4'/>
-                           <filterref filter='nova-base-ipv6'/>
-                         </filter>'''
-
     def nova_base_ipv4_filter(self):
         retval = "<filter name='nova-base-ipv4' chain='ipv4'>"
         for protocol in ['tcp', 'udp', 'icmp']:
author	Vishvananda Ishaya <vishvananda@gmail.com>	2011-04-21 07:39:49 -0700
committer	Vishvananda Ishaya <vishvananda@gmail.com>	2011-04-21 07:39:49 -0700
commit	2d82195d59240ea53d4726879d2a28a5872e58f7 (patch)
tree	7ad4ace021a0a570fde8d8f90ffc740a5314bf22 /nova
parent	e6b76ce6886a1404739a972d106248a67df4f02a (diff)