This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-changelog] [xen-unstable] tools: dom0 iptables rule ordering change

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] tools: dom0 iptables rule ordering change
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Apr 2009 05:55:16 -0700
Delivery-date: Wed, 15 Apr 2009 05:55:32 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1239704402 -3600
# Node ID e15d30dfb6003e10b1cc4189d7c25fb3a53ac4d1
# Parent  4063894c0c1fcd619e4b76916c919036567f3c07
tools: dom0 iptables rule ordering change

This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.

Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules.  This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.

In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow.  This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.

Signed-off-by: Chris Bookholt <hap10@xxxxxxxxxxxxxx>
 tools/hotplug/Linux/vif-common.sh |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

diff -r 4063894c0c1f -r e15d30dfb600 tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:18:37 2009 +0100
+++ b/tools/hotplug/Linux/vif-common.sh Tue Apr 14 11:20:02 2009 +0100
@@ -68,17 +68,20 @@ frob_iptable()
   if [ "$command" == "online" ]
-    local c="-A"
+    local c="-I"
     local c="-D"
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null ||
-    [ "$c" == "-D" ] ||
-    log err \
-     "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed.
-If you are using iptables, this may affect networking for guest domains."
+    2>/dev/null &&
+  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+  if [ "$command" == "online" ] && [ $? ]
+  then
+    log err "iptables setup failed. This may affect guest networking."
+  fi

Xen-changelog mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] tools: dom0 iptables rule ordering change, Xen patchbot-unstable <=