[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] bridge call iptables being forced

To: juan@xxxxxxxxxxxxxxx
From: Steven Haigh <netwiz@xxxxxxxxx>
Date: Fri, 20 Nov 2015 11:59:48 +1100
Cc: RimuHosting <support@xxxxxxxxxxxxxxx>, Xen-devel@xxxxxxxxxxxxx
Delivery-date: Fri, 20 Nov 2015 01:00:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 2015-11-19 12:46, Juan Rossi wrote:

Hi

I am sending this due the change of behaviour in some parts, and
perhaps it needs some code amendments, unsure if the devel list is the
best place, fell free to point me to the right place for this. Let me
know if I should load a bug instead.


I'm tracking this at:
        http://xen.crc.id.au/bugs/view.php?id=62

<snip>

diff --git a/tools/hotplug/Linux/vif-bridgeb/tools/hotplug/Linux/vif-bridge
index 3d72ca4..7fc6650 100644
--- a/tools/hotplug/Linux/vif-bridge
+++ b/tools/hotplug/Linux/vif-bridge
@@ -93,7 +93,16 @@ case "$command" in
         ;;
 esac

-handle_iptable
+brcalliptables=$(sysctl -n net.bridge.bridge-nf-call-iptables2>/dev/null)
+brcalliptables=${brcalliptables:-0}
+
+brcallip6tables=$(sysctl -n net.bridge.bridge-nf-call-ip6tables2>/dev/null)
+brcallip6tables=${brcallip6tables:-0}
+
+if [ "$brcalliptables" -eq "1" -a "$brcallip6tables" -eq "1" ];
+then
+       handle_iptable
+fi

 call_hooks vif post

I'm not a fan of this as it will also enable the call tohandle_iptable() if people create their own firewall rules - ie thesewill be true - hence the rule will get loaded anyway.

My comment on the bug report is included below to hopefully get furtherinput from people:Thinking about this further - as it is a change in behaviour for a pointrelease, I believe we should do the following:


1) Create a new option in /etc/xen/xl.conf - and default it to False.
2) Name an option "autocreate_firewall_files"

3) Evaluate autocreate_firewall_rules in vif-common.sh functionhandle_iptable()


I suggest something like the following psuedo code:
if [ $autocreate_firewall_rules == 0 ]; then
        return
fi

Happy to start debate on the correct way of handling this :)

Hopefully this can lead to some further debate.

--
Steven Haigh

Email: netwiz@xxxxxxxxx
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] bridge call iptables being forced
  - From: Juan Rossi

Prev by Date: Re: [Xen-devel] Current LibXL Status
Next by Date: Re: [Xen-devel] [PATCH 04/10] x86/hvm: pkeys, add pkeys support when setting CR4
Previous by thread: [Xen-devel] bridge call iptables being forced
Next by thread: [Xen-devel] [qemu-mainline test] 64579: tolerable FAIL - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.