[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-4.0-testing] tools/hotplug/Linux: Avoid dependency on iptables conntrack module.

# HG changeset patch
# User Keir Fraser <keir@xxxxxxx>
# Date 1292602434 0
# Node ID af7110f4f80307413cec60ae4191d6863ba1b540
# Parent  8d8c8886e8d5949668de9d3f7be7c751ca18335f
tools/hotplug/Linux: Avoid dependency on iptables conntrack module.

Checking for RELATED,ESTABLISHED traffic being sent to a domU requires
connection tracking, which adds unexpected (to most users) load to
dom0. Heavily loaded systems can fill the conntrack tables.

So avoid this, be more liberal in what we accept, and leave it to domU
to police its own input.

Signed-off-by: Keir Fraser <keir@xxxxxxx>
xen-unstable changeset:   22573:ff1b80ccecd9
xen-unstable date:        Fri Dec 17 16:12:37 2010 +0000

tools/hotplug/Linux: supply --physdev-is-bridged in iptables runes

With newer (pvops) kernels logs get flooded with this iptables
warning: physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore

Using the --physdev-is-bridged option prevents this.
See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10

Signed-off-by: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
xen-unstable changeset:   22385:b0fe8260cefa
xen-unstable date:        Wed Nov 10 14:37:19 2010 +0000
---
 tools/hotplug/Linux/vif-common.sh |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff -r 8d8c8886e8d5 -r af7110f4f803 tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh Fri Dec 17 14:17:31 2010 +0000
+++ b/tools/hotplug/Linux/vif-common.sh Fri Dec 17 16:13:54 2010 +0000
@@ -73,10 +73,10 @@ frob_iptable()
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null &&
-  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
-    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \
+    "$@" -j ACCEPT 2>/dev/null &&
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
+    -j ACCEPT 2>/dev/null
 
   if [ "$command" == "online" -a $? -ne 0 ]
   then

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.