diff options
| author | Soren Hansen <soren.hansen@rackspace.com> | 2010-09-28 09:07:48 +0200 |
|---|---|---|
| committer | Soren Hansen <soren.hansen@rackspace.com> | 2010-09-28 09:07:48 +0200 |
| commit | 886534ba4d0281afc0d169546a8d55d3a5c8ece9 (patch) | |
| tree | e6cdb25e312c3f8395c679dd565d566b80d12662 /nova | |
| parent | 574aa4bb03c6e79c204d73a8f2a146460cbdb848 (diff) | |
Make the incoming blocking rules take precedence over the output accept rules.
Diffstat (limited to 'nova')
| -rw-r--r-- | nova/virt/libvirt_conn.py | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 854fa6761..40a921743 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -527,11 +527,11 @@ class NWFilterFirewall(object): def nova_base_ipv4_filter(self): retval = "<filter name='nova-base-ipv4' chain='ipv4'>" for protocol in ['tcp', 'udp', 'icmp']: - for direction,action in [('out','accept'), - ('in','drop')]: - retval += """<rule action='%s' direction='%s' priority='400'> + for direction,action,priority in [('out','accept', 400), + ('in','drop', 399)]: + retval += """<rule action='%s' direction='%s' priority='%d'> <%s /> - </rule>""" % (action, direction, protocol) + </rule>""" % (action, direction, protocol, priority) retval += '</filter>' return retval @@ -539,11 +539,12 @@ class NWFilterFirewall(object): def nova_base_ipv6_filter(self): retval = "<filter name='nova-base-ipv6' chain='ipv6'>" for protocol in ['tcp', 'udp', 'icmp']: - for direction,action in [('out','accept'), - ('in','drop')]: - retval += """<rule action='%s' direction='%s' priority='400'> + for direction,action,priority in [('out','accept',400), + ('in','drop',399)]: + retval += """<rule action='%s' direction='%s' priority='%d'> <%s-ipv6 /> - </rule>""" % (action, direction, protocol) + </rule>""" % (action, direction, + protocol, priority) retval += '</filter>' return retval |