Re: [Xen-devel] [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore

[Sander Eikelenboom <linux@xxxxxxxxxxxxxx>]

Tuesday, November 9, 2010, 5:53:19 PM, you wrote:

> Sander Eikelenboom writes ("[Xen-devel] [PATCH] vif-common.sh prevent physdev 
> match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for 
> non-bridged traffic is not supported anymore"):
>> -  iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
>> +  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" 
>> "$@" -j ACCEPT \

> This will break on earlier iptables and/or earlier kernels.

> Is there a way to detect whether --physdev-is-bridged is going to work ?

> We could grep the output from iptables but is that sufficient ?  I
> guess we may need to check for kernel behaviour too somehow.

Good point, although I don't have a config with an old enough iptables/kernel 
to test what happens in that case ..
The option should be available from before 2008 
(http://ipset.netfilter.org/iptables.man.html) though.


> Ian.



-- 
Best regards,
 Sander                            mailto:linux@xxxxxxxxxxxxxx


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel