WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --phy

To: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore
From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>
Date: Tue, 9 Nov 2010 07:49:31 +0800
Cc: Ian <Ian.Campbell@xxxxxxxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Keir Fraser <keir.fraser@xxxxxxxxxxxxx>
Delivery-date: Mon, 08 Nov 2010 15:50:27 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=rAda5+Dv9v4n02NOHV/PuwDFvrL+Al7ODWL1Xz1rWoA=; b=BYes/I0WyrLVdEjA+gXorfKq2fQvWbpBfylQYXRuV1L167CWJGrNzE0lPu4utKUedy PqNv8uw2Tn8XvliJbsuAYPZWGUIxCrjcbnDPCr2ae0wPGohEMZ8sns2Qmfa0RSEi0I1w N10TLYUL6YEXeLJuc1k+EjIll+G5MunhhtDOU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Do4DQxETbTtIWxR8UlMh1JERR6+YDd3V4xcrChK1sVBFXLEORb5NjJiuAuK/bJcfgT XYBiyEu4O1XFoGLu4cZuf5uCpkK/vupoBl+5g0JROJ+orcBGqDb8JIbWDVzTfRGqP5jR Y2v07mD9DttkhPUMiD06KVVFIi+2utjubtrqY=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4010012490.20101108235313@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4010012490.20101108235313@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Tue, Nov 9, 2010 at 6:53 AM, Sander Eikelenboom <linux@xxxxxxxxxxxxxx> wrote:
> Hi all,
>
> Please consider this patch, with newer (pvops) kernels my logs get flooded 
> with this iptables warning:
> physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
> chains for non-bridged traffic is not supported anymore
>
> Using the --physdev-is-bridged option prevents this.
> See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10
>

I guess a patch for tools/hotplug/Linux/network-bridge will also be required?

$ grep iptables ./*/*
./Linux/network-bridge:# antispoof  Whether to use iptables to prevent
spoofing (default no).
./Linux/network-bridge:    iptables -P FORWARD DROP
./Linux/network-bridge:    iptables -F FORWARD
./Linux/network-bridge:    iptables -A FORWARD -m physdev --physdev-in
${pdev} -j ACCEPT << HERE IT IS
./Linux/network-nat:# antispoof  Whether to use iptables to prevent
spoofing (default no).
./Linux/network-nat:    iptables -t nat -A POSTROUTING -o ${netdev} -j 
MASQUERADE
./Linux/network-nat:    iptables -t nat -D POSTROUTING -o ${netdev} -j 
MASQUERADE
./Linux/network-route:# antispoof  Whether to use iptables to prevent
spoofing (default yes).
./Linux/vif-bridge:# Enslaves the vif interface to the bridge and adds
iptables rules
./Linux/vif-bridge:# Removes the vif interface from the bridge and
removes the iptables
./Linux/vif-common.sh:  iptables "$c" FORWARD -m physdev --physdev-in
"$vif" "$@" -j ACCEPT \
./Linux/vif-common.sh:  iptables "$c" FORWARD -m state --state
RELATED,ESTABLISHED -m physdev \
./Linux/vif-common.sh:    log err "iptables setup failed. This may
affect guest networking."
./Linux/vif-common.sh:# Add or remove the appropriate entries in the
iptables.  With antispoofing
./Linux/vif-common.sh:  # Check for a working iptables installation.
Checking for the iptables
./Linux/vif-common.sh:  # modules installed.  If iptables is not
working, then there's no need to do
./Linux/vif-common.sh:  if ! iptables -L -n >&/dev/null
./Linux/vif-common.sh:  claim_lock "iptables"
./Linux/vif-common.sh:  release_lock "iptables"

Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>