From 2c5afffb7d9b409b7ec4e14825c9be15efb7940a Mon Sep 17 00:00:00 2001
From: Guido Trotter <ultrotter@google.com>
Date: Wed, 21 Oct 2009 18:13:21 -0400
Subject: [PATCH] KVMHypervisor: implement instance policy routing

Until now we relied on traffic from instances being policy routed via a
rule based on the instance network. With this change we can enforce it
on the instance interfaces. Since the ip rules survive interface
disappearing and reappearing, we need first to remove leftover rules,
and then to apply the new one, when creating the interface.

Signed-off-by: Guido Trotter <ultrotter@google.com>
Reviewed-by: Michael Hanselmann <hansmi@google.com>
---
 lib/hypervisor/hv_kvm.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/hypervisor/hv_kvm.py b/lib/hypervisor/hv_kvm.py
index 8b3af5252..a8439bb7e 100644
--- a/lib/hypervisor/hv_kvm.py
+++ b/lib/hypervisor/hv_kvm.py
@@ -171,6 +171,8 @@ class KVMHypervisor(hv_base.BaseHypervisor):
     elif nic.nicparams[constants.NIC_MODE] == constants.NIC_MODE_ROUTED:
       script.write("  # Route traffic targeted at the IP to the interface\n")
       if nic.nicparams[constants.NIC_LINK]:
+        script.write("  while /sbin/ip rule del dev $INTERFACE; do :; done\n")
+        script.write("  /sbin/ip rule add dev $INTERFACE table $LINK\n")
         script.write("  /sbin/ip route replace $IP/32 table $LINK"
                      " dev $INTERFACE\n")
       else:
-- 
GitLab