aboutsummaryrefslogtreecommitdiff
path: root/manifests/rules
diff options
context:
space:
mode:
authorbertagaz <bertagaz@ptitcanardnoir.org>2015-01-15 12:33:41 +0100
committerbertagaz <bertagaz@ptitcanardnoir.org>2015-02-27 15:22:00 +0100
commit3404e5d09d41a3949c76e39f884e6a2d2db8cd48 (patch)
tree58d966b46a2afd6857d15fedd0a90bac71f31fc8 /manifests/rules
parent06c5058752f7c1856380766784f48e077c3194ed (diff)
downloadpuppet-shorewall-3404e5d09d41a3949c76e39f884e6a2d2db8cd48.tar.gz
puppet-shorewall-3404e5d09d41a3949c76e39f884e6a2d2db8cd48.tar.bz2
Fix DHCP from $vmz.
On newer kernel (tested on 3.16), the libvirt and shorewall iptables rules have conflicts that need to be fixed by enabling back --checksum-fill on $vmz, otherwise the VMs can't get a DHCP lease.
Diffstat (limited to 'manifests/rules')
-rw-r--r--manifests/rules/libvirt/host.pp11
1 files changed, 11 insertions, 0 deletions
diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
index dfb753c..c226865 100644
--- a/manifests/rules/libvirt/host.pp
+++ b/manifests/rules/libvirt/host.pp
@@ -2,6 +2,8 @@ class shorewall::rules::libvirt::host (
$vmz = 'vmz',
$masq_iface = 'eth0',
$debproxy_port = 8000,
+ $accept_dhcp = true,
+ $vmz_iface = 'virbr0',
) {
define shorewall::rule::accept::from_vmz (
@@ -49,6 +51,15 @@ class shorewall::rules::libvirt::host (
action => 'ACCEPT';
}
+ if $accept_dhcp {
+ shorewall::mangle { 'CHECKSUM:T':
+ source => '-',
+ destination => $vmz_iface,
+ proto => 'udp',
+ destinationport => '68';
+ }
+ }
+
if $debproxy_port {
shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz':
proto => 'tcp',