[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 3/5] hotplug/linux: Improve iptables logic

Sylvain Munaut writes ("[PATCH 3/5] hotplug/linux: Improve iptables logic"):
> The main goal of this is to pave the way for IPv6 support, but it
> also improves the rules by preventing duplicate incoming packets
> rules to be added.
> 
> frob_iptables now takes a list of address to handle as parameter
> and creates the rules as needed. Any 'common' rule is no longer
> repeated.
...

AFIACT the duplicate entries are simply because

> -  iptables "$c" FORWARD -w $dev_in_match "$dev" \
> -    "$@" -j ACCEPT 2>/dev/null &&
> -  iptables "$c" FORWARD -w $dev_out_match "$dev" \
> -    -j ACCEPT 2>/dev/null

this second line, which does not contain "$@", is invoked once for
each source pattern.

Surely instead it would be better to lift this out.

I'm not sure I like the change in the handling of any.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.