Xen project Mailing List

Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore

To: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>

From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>

Date: Tue, 9 Nov 2010 07:49:31 +0800

Cc: Ian <Ian.Campbell@xxxxxxxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Keir Fraser <keir.fraser@xxxxxxxxxxxxx>

Delivery-date: Mon, 08 Nov 2010 15:50:27 -0800

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Do4DQxETbTtIWxR8UlMh1JERR6+YDd3V4xcrChK1sVBFXLEORb5NjJiuAuK/bJcfgT XYBiyEu4O1XFoGLu4cZuf5uCpkK/vupoBl+5g0JROJ+orcBGqDb8JIbWDVzTfRGqP5jR Y2v07mD9DttkhPUMiD06KVVFIi+2utjubtrqY=

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Tue, Nov 9, 2010 at 6:53 AM, Sander Eikelenboom <linux@xxxxxxxxxxxxxx> wrote: > Hi all, > > Please consider this patch, with newer (pvops) kernels my logs get flooded > with this iptables warning: > physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING > chains for non-bridged traffic is not supported anymore > > Using the --physdev-is-bridged option prevents this. > See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10 > I guess a patch for tools/hotplug/Linux/network-bridge will also be required? $ grep iptables ./*/* ./Linux/network-bridge:# antispoof Whether to use iptables to prevent spoofing (default no). ./Linux/network-bridge: iptables -P FORWARD DROP ./Linux/network-bridge: iptables -F FORWARD ./Linux/network-bridge: iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT << HERE IT IS ./Linux/network-nat:# antispoof Whether to use iptables to prevent spoofing (default no). ./Linux/network-nat: iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE ./Linux/network-nat: iptables -t nat -D POSTROUTING -o ${netdev} -j MASQUERADE ./Linux/network-route:# antispoof Whether to use iptables to prevent spoofing (default yes). ./Linux/vif-bridge:# Enslaves the vif interface to the bridge and adds iptables rules ./Linux/vif-bridge:# Removes the vif interface from the bridge and removes the iptables ./Linux/vif-common.sh: iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ ./Linux/vif-common.sh: iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ ./Linux/vif-common.sh: log err "iptables setup failed. This may affect guest networking." ./Linux/vif-common.sh:# Add or remove the appropriate entries in the iptables. With antispoofing ./Linux/vif-common.sh: # Check for a working iptables installation. Checking for the iptables ./Linux/vif-common.sh: # modules installed. If iptables is not working, then there's no need to do ./Linux/vif-common.sh: if ! iptables -L -n >&/dev/null ./Linux/vif-common.sh: claim_lock "iptables" ./Linux/vif-common.sh: release_lock "iptables" Thanks. Kindest regards, Giam Teck Choon _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.