[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] bridge call iptables being forced



On 2015-11-19 12:46, Juan Rossi wrote:
Hi

I am sending this due the change of behaviour in some parts, and
perhaps it needs some code amendments, unsure if the devel list is the
best place, fell free to point me to the right place for this. Let me
know if I should load a bug instead.

I'm tracking this at:
        http://xen.crc.id.au/bugs/view.php?id=62

<snip>
diff --git a/tools/hotplug/Linux/vif-bridge b/tools/hotplug/Linux/vif-bridge
index 3d72ca4..7fc6650 100644
--- a/tools/hotplug/Linux/vif-bridge
+++ b/tools/hotplug/Linux/vif-bridge
@@ -93,7 +93,16 @@ case "$command" in
         ;;
 esac

-handle_iptable
+brcalliptables=$(sysctl -n net.bridge.bridge-nf-call-iptables 2>/dev/null)
+brcalliptables=${brcalliptables:-0}
+
+brcallip6tables=$(sysctl -n net.bridge.bridge-nf-call-ip6tables 2>/dev/null)
+brcallip6tables=${brcallip6tables:-0}
+
+if [ "$brcalliptables" -eq "1" -a "$brcallip6tables" -eq "1" ];
+then
+       handle_iptable
+fi

 call_hooks vif post

I'm not a fan of this as it will also enable the call to handle_iptable() if people create their own firewall rules - ie these will be true - hence the rule will get loaded anyway.

My comment on the bug report is included below to hopefully get further input from people: Thinking about this further - as it is a change in behaviour for a point release, I believe we should do the following:

1) Create a new option in /etc/xen/xl.conf - and default it to False.
2) Name an option "autocreate_firewall_files"
3) Evaluate autocreate_firewall_rules in vif-common.sh function handle_iptable()

I suggest something like the following psuedo code:
if [ $autocreate_firewall_rules == 0 ]; then
        return
fi

Happy to start debate on the correct way of handling this :)

Hopefully this can lead to some further debate.

--
Steven Haigh

Email: netwiz@xxxxxxxxx
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.