diff options
| author | bertagaz <bertagaz@ptitcanardnoir.org> | 2015-01-15 12:33:41 +0100 |
|---|---|---|
| committer | bertagaz <bertagaz@ptitcanardnoir.org> | 2015-02-27 15:22:00 +0100 |
| commit | 3404e5d09d41a3949c76e39f884e6a2d2db8cd48 (patch) | |
| tree | 58d966b46a2afd6857d15fedd0a90bac71f31fc8 | |
| parent | 06c5058752f7c1856380766784f48e077c3194ed (diff) | |
| download | puppet-shorewall-3404e5d09d41a3949c76e39f884e6a2d2db8cd48.tar.gz puppet-shorewall-3404e5d09d41a3949c76e39f884e6a2d2db8cd48.tar.bz2 | |
Fix DHCP from $vmz.
On newer kernel (tested on 3.16), the libvirt and shorewall iptables
rules have conflicts that need to be fixed by enabling back
--checksum-fill on $vmz, otherwise the VMs can't get a DHCP lease.
| -rw-r--r-- | manifests/rules/libvirt/host.pp | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dfb753c..c226865 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -2,6 +2,8 @@ class shorewall::rules::libvirt::host ( $vmz = 'vmz', $masq_iface = 'eth0', $debproxy_port = 8000, + $accept_dhcp = true, + $vmz_iface = 'virbr0', ) { define shorewall::rule::accept::from_vmz ( @@ -49,6 +51,15 @@ class shorewall::rules::libvirt::host ( action => 'ACCEPT'; } + if $accept_dhcp { + shorewall::mangle { 'CHECKSUM:T': + source => '-', + destination => $vmz_iface, + proto => 'udp', + destinationport => '68'; + } + } + if $debproxy_port { shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', |