This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --phy

To: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore
From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>
Date: Wed, 10 Nov 2010 10:01:57 +0800
Cc: "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Keir Fraser <Keir.Fraser@xxxxxxxxxxxxx>
Delivery-date: Tue, 09 Nov 2010 18:02:56 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=8owBWVOZTmf+ISXC25ONts6KsQq2UysOiJzN5LmJslA=; b=EVv1uHWT43d/ktm5x4vRai2URlJGPDIG8E694xe9Kl9DWChXmbgemjmsyTx7dBt6C6 NwYl0c28Hc40XoqUTxJaXmz/6TrTjkp01UHOWWx1JHMx+L58aTTBTwQ9cfwsQT9+07wJ E8qtx59wuz2yQ3jloLsrwPhpse5lGBSl+2M68=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rWVdasVwwT5eEVrxVfpmixY7uLuGIghyAUsf4gjQEwBubc938c3UG/qv0V5q4IhryX AaOk6L5sj1n+yQZiOcYNlZXJxgTwTV0HqUISx7EAdFa4dlS/+mdPR1lTstSX35qVHO73 CS6WEo4OfdK/rwYzUfOBqKMXCAbWhoIl0g+3w=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1436959264.20101109193759@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4010012490.20101108235313@xxxxxxxxxxxxxx> <19673.31871.224226.14651@xxxxxxxxxxxxxxxxxxxxxxxx> <458529433.20101109192907@xxxxxxxxxxxxxx> <19673.37792.783472.936999@xxxxxxxxxxxxxxxxxxxxxxxx> <1436959264.20101109193759@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Wed, Nov 10, 2010 at 2:37 AM, Sander Eikelenboom
<linux@xxxxxxxxxxxxxx> wrote:
> Hello Ian,
> Tuesday, November 9, 2010, 7:32:00 PM, you wrote:
>> Sander Eikelenboom writes ("Re: [Xen-devel] [PATCH] vif-common.sh prevent 
>> physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
>> chains for non-bridged traffic is not supported anymore"):
>>> Good point, although I don't have a config with an old enough
>>> iptables/kernel to test what happens in that case ..
> this 
> http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=30596a5e7ae8c518a8a0bbf3aa891728e9f9ec1b
>  commit allready seems to have the option
> it's from 2003...
>> On lenny:
>> $ iptables --physdev-is-bridged
>> iptables v1.4.2: Unknown arg `(null)'
>> Try `iptables -h' or 'iptables --help' for more information.
>> $
>> What I want to know, though, is what happens if you have a new
>> iptables and an old kernel.
>> Ian.

Hi Ian,

Usage as below which show support for CentOS 4 amd CentOS 5:

# /sbin/iptables -m physdev --help|grep 'physdev-is-bridged'
 [!] --physdev-is-bridged               it's a bridged packet

# /sbin/iptables -m physdev --help
iptables v1.2.11

Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain]          List the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
            -E old-chain new-chain
                                Change chain name, (moving any references)
  --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
  --source      -s [!] address[/mask]
                                source specification
  --destination -d [!] address[/mask]
                                destination specification
  --in-interface -i [!] input name[+]
                                network interface name ([+] for wildcard)
  --jump        -j target
                                target for rule (may load target extension)
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
  --out-interface -o [!] output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

physdev v1.2.11 options:
 --physdev-in [!] input name[+]         bridge port name ([+] for wildcard)
 --physdev-out [!] output name[+]       bridge port name ([+] for wildcard)
 [!] --physdev-is-in                    arrived on a bridge device
 [!] --physdev-is-out                   will leave on a bridge device
 [!] --physdev-is-bridged               it's a bridged packet


Kindest regards,
Giam Teck Choon

Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>