[Xen-devel] [PATCH] vif-common.sh prevent physdev match: using -

To:	Ian <Ian.Campbell@xxxxxxxxxxxxx>, Keir Fraser <keir.fraser@xxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Subject:	[Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore
From:	Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
Date:	Mon, 8 Nov 2010 23:53:13 +0100
Cc:	"Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date:	Mon, 08 Nov 2010 14:54:11 -0800
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Organization:	Eikelenboom IT services
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

Hi all,

Please consider this patch, with newer (pvops) kernels my logs get flooded with 
this iptables warning:
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
chains for non-bridged traffic is not supported anymore

Using the --physdev-is-bridged option prevents this.
See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10

--
Sander



# HG changeset patch
# User root@localhost
# Date 1289255948 -3600
# Node ID 8270590996e55674532101c3dcfd41312c8598cf
# Parent  0d5f09e3728cd2ebf1126bc7341ae9dded45006a
Use --physdev-is-bridged to make it explicit the rules only apply to bridged 
traffic.
This prevents a flood of:
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
chains for non-bridged traffic is not supported anymore.
messages when starting or shutting down domU's

Background information: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10

Signed-off-by: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>

diff -r 0d5f09e3728c -r 8270590996e5 tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh Thu Nov 04 16:42:34 2010 +0000
+++ b/tools/hotplug/Linux/vif-common.sh Mon Nov 08 23:39:08 2010 +0100
@@ -105,10 +105,10 @@
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" 
"$@" -j ACCEPT \
     2>/dev/null &&
   iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
-    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+    --physdev-is-bridged --physdev-out "$vif" -j ACCEPT 2>/dev/null
 
   if [ "$command" == "online" -a $? -ne 0 ]
   then

vif-common.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [Xen-devel] [PATCH] Fix pci passthru in xend interface used by libvirt [and 1 more messages], Jim Fehlig

Next by Date:

Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore, Teck Choon Giam

Previous by Thread:

[Xen-devel] [xen-unstable test] 2584: all pass, xen . org

Next by Thread:

Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore, Teck Choon Giam

Indexes:

[Date] [Thread] [Top] [All Lists]

WARNING - OLD ARCHIVES

xen-devel

[Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev