WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --phy

from [Teck Choon Giam] [Permanent Link][Original]
To: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore
From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>
Date: Tue, 9 Nov 2010 07:49:31 +0800
Cc: Ian <Ian.Campbell@xxxxxxxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Keir Fraser <keir.fraser@xxxxxxxxxxxxx>
Delivery-date: Mon, 08 Nov 2010 15:50:27 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=rAda5+Dv9v4n02NOHV/PuwDFvrL+Al7ODWL1Xz1rWoA=; b=BYes/I0WyrLVdEjA+gXorfKq2fQvWbpBfylQYXRuV1L167CWJGrNzE0lPu4utKUedy PqNv8uw2Tn8XvliJbsuAYPZWGUIxCrjcbnDPCr2ae0wPGohEMZ8sns2Qmfa0RSEi0I1w N10TLYUL6YEXeLJuc1k+EjIll+G5MunhhtDOU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Do4DQxETbTtIWxR8UlMh1JERR6+YDd3V4xcrChK1sVBFXLEORb5NjJiuAuK/bJcfgT XYBiyEu4O1XFoGLu4cZuf5uCpkK/vupoBl+5g0JROJ+orcBGqDb8JIbWDVzTfRGqP5jR Y2v07mD9DttkhPUMiD06KVVFIi+2utjubtrqY=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4010012490.20101108235313@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4010012490.20101108235313@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
On Tue, Nov 9, 2010 at 6:53 AM, Sander Eikelenboom <linux@xxxxxxxxxxxxxx> wrote:
> Hi all,
>
> Please consider this patch, with newer (pvops) kernels my logs get flooded 
> with this iptables warning:
> physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
> chains for non-bridged traffic is not supported anymore
>
> Using the --physdev-is-bridged option prevents this.
> See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10
>

I guess a patch for tools/hotplug/Linux/network-bridge will also be required?

$ grep iptables ./*/*
./Linux/network-bridge:# antispoof  Whether to use iptables to prevent
spoofing (default no).
./Linux/network-bridge:    iptables -P FORWARD DROP
./Linux/network-bridge:    iptables -F FORWARD
./Linux/network-bridge:    iptables -A FORWARD -m physdev --physdev-in
${pdev} -j ACCEPT << HERE IT IS
./Linux/network-nat:# antispoof  Whether to use iptables to prevent
spoofing (default no).
./Linux/network-nat:    iptables -t nat -A POSTROUTING -o ${netdev} -j 
MASQUERADE
./Linux/network-nat:    iptables -t nat -D POSTROUTING -o ${netdev} -j 
MASQUERADE
./Linux/network-route:# antispoof  Whether to use iptables to prevent
spoofing (default yes).
./Linux/vif-bridge:# Enslaves the vif interface to the bridge and adds
iptables rules
./Linux/vif-bridge:# Removes the vif interface from the bridge and
removes the iptables
./Linux/vif-common.sh:  iptables "$c" FORWARD -m physdev --physdev-in
"$vif" "$@" -j ACCEPT \
./Linux/vif-common.sh:  iptables "$c" FORWARD -m state --state
RELATED,ESTABLISHED -m physdev \
./Linux/vif-common.sh:    log err "iptables setup failed. This may
affect guest networking."
./Linux/vif-common.sh:# Add or remove the appropriate entries in the
iptables.  With antispoofing
./Linux/vif-common.sh:  # Check for a working iptables installation.
Checking for the iptables
./Linux/vif-common.sh:  # modules installed.  If iptables is not
working, then there's no need to do
./Linux/vif-common.sh:  if ! iptables -L -n >&/dev/null
./Linux/vif-common.sh:  claim_lock "iptables"
./Linux/vif-common.sh:  release_lock "iptables"

Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore, Sander Eikelenboom
Next by Date:  [Xen-devel] Where does it actually shutdown a domain with reason 'suspend' in xend or xen ?, huang . shuangqing
Previous by Thread:  [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore, Sander Eikelenboom
Next by Thread:  Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore, Teck Choon Giam
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy