[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore
On Tue, Nov 9, 2010 at 6:53 AM, Sander Eikelenboom <linux@xxxxxxxxxxxxxx> wrote: > Hi all, > > Please consider this patch, with newer (pvops) kernels my logs get flooded > with this iptables warning: > physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING > chains for non-bridged traffic is not supported anymore > > Using the --physdev-is-bridged option prevents this. > See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10 > I guess a patch for tools/hotplug/Linux/network-bridge will also be required? $ grep iptables ./*/* ./Linux/network-bridge:# antispoof Whether to use iptables to prevent spoofing (default no). ./Linux/network-bridge: iptables -P FORWARD DROP ./Linux/network-bridge: iptables -F FORWARD ./Linux/network-bridge: iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT << HERE IT IS ./Linux/network-nat:# antispoof Whether to use iptables to prevent spoofing (default no). ./Linux/network-nat: iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE ./Linux/network-nat: iptables -t nat -D POSTROUTING -o ${netdev} -j MASQUERADE ./Linux/network-route:# antispoof Whether to use iptables to prevent spoofing (default yes). ./Linux/vif-bridge:# Enslaves the vif interface to the bridge and adds iptables rules ./Linux/vif-bridge:# Removes the vif interface from the bridge and removes the iptables ./Linux/vif-common.sh: iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ ./Linux/vif-common.sh: iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ ./Linux/vif-common.sh: log err "iptables setup failed. This may affect guest networking." ./Linux/vif-common.sh:# Add or remove the appropriate entries in the iptables. With antispoofing ./Linux/vif-common.sh: # Check for a working iptables installation. Checking for the iptables ./Linux/vif-common.sh: # modules installed. If iptables is not working, then there's no need to do ./Linux/vif-common.sh: if ! iptables -L -n >&/dev/null ./Linux/vif-common.sh: claim_lock "iptables" ./Linux/vif-common.sh: release_lock "iptables" Thanks. Kindest regards, Giam Teck Choon _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |