[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] bridge call iptables being forced
On 2015-11-19 12:46, Juan Rossi wrote: Hi I am sending this due the change of behaviour in some parts, and perhaps it needs some code amendments, unsure if the devel list is the best place, fell free to point me to the right place for this. Let me know if I should load a bug instead. I'm tracking this at: http://xen.crc.id.au/bugs/view.php?id=62 <snip> diff --git a/tools/hotplug/Linux/vif-bridge b/tools/hotplug/Linux/vif-bridgeindex 3d72ca4..7fc6650 100644 --- a/tools/hotplug/Linux/vif-bridge +++ b/tools/hotplug/Linux/vif-bridge @@ -93,7 +93,16 @@ case "$command" in ;; esac -handle_iptable+brcalliptables=$(sysctl -n net.bridge.bridge-nf-call-iptables 2>/dev/null)+brcalliptables=${brcalliptables:-0} ++brcallip6tables=$(sysctl -n net.bridge.bridge-nf-call-ip6tables 2>/dev/null)+brcallip6tables=${brcallip6tables:-0} + +if [ "$brcalliptables" -eq "1" -a "$brcallip6tables" -eq "1" ]; +then + handle_iptable +fi call_hooks vif post I'm not a fan of this as it will also enable the call to handle_iptable() if people create their own firewall rules - ie these will be true - hence the rule will get loaded anyway. My comment on the bug report is included below to hopefully get further input from people: Thinking about this further - as it is a change in behaviour for a point release, I believe we should do the following: 1) Create a new option in /etc/xen/xl.conf - and default it to False. 2) Name an option "autocreate_firewall_files"3) Evaluate autocreate_firewall_rules in vif-common.sh function handle_iptable() I suggest something like the following psuedo code: if [ $autocreate_firewall_rules == 0 ]; then return fi Happy to start debate on the correct way of handling this :) Hopefully this can lead to some further debate. -- Steven Haigh Email: netwiz@xxxxxxxxx Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |