Fix DHCP from $vmz.

On newer kernel (tested on 3.16), the libvirt and shorewall iptables
rules have conflicts that need to be fixed by enabling back
--checksum-fill on $vmz, otherwise the VMs can't get a DHCP lease.

diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
index dfb753c2da5c8ec03ab6ee8e6b5a2644e0ce6858..c226865952c09352af3f61c6a86eb447a1b7602c 100644 (file)
--- a/manifests/rules/libvirt/host.pp
+++ b/manifests/rules/libvirt/host.pp
@@ -2,6 +2,8 @@ class shorewall::rules::libvirt::host (
   $vmz           = 'vmz',
   $masq_iface    = 'eth0',
   $debproxy_port = 8000,
+  $accept_dhcp   = true,
+  $vmz_iface     = 'virbr0',
   ) {
 
   define shorewall::rule::accept::from_vmz (
@@ -49,6 +51,15 @@ class shorewall::rules::libvirt::host (
       action          => 'ACCEPT';
   }
 
+  if $accept_dhcp {
+    shorewall::mangle { 'CHECKSUM:T':
+      source          => '-',
+      destination     => $vmz_iface,
+      proto           => 'udp',
+      destinationport => '68';
+    }
+  }
+
   if $debproxy_port {
     shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz':
       proto           => 'tcp',