From 94ddf9c9fa65582b9f89624bdfdd860974fed602 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20R=C4=99korajski?= Date: Sat, 3 Mar 2012 09:42:12 +0000 Subject: [PATCH] - disable iptables on bridge, rationale here: https://bugzilla.redhat.com/show_bug.cgi?id=512206 http://patchwork.ozlabs.org/patch/29319/ http://lists.gnu.org/archive/html/qemu-devel/2009-07/msg01592.html Changed files: xen-net-disable-iptables-on-bridge.patch -> 1.1 xen.spec -> 1.99 --- xen-net-disable-iptables-on-bridge.patch | 29 ++++++++++++++++++++++++ xen.spec | 2 ++ 2 files changed, 31 insertions(+) create mode 100644 xen-net-disable-iptables-on-bridge.patch diff --git a/xen-net-disable-iptables-on-bridge.patch b/xen-net-disable-iptables-on-bridge.patch new file mode 100644 index 0000000..e7a8930 --- /dev/null +++ b/xen-net-disable-iptables-on-bridge.patch @@ -0,0 +1,29 @@ +--- xen-4.1.0-orig/tools/hotplug/Linux/vif-bridge 2008-08-22 10:49:07.000000000 +0100 ++++ xen-4.1.0-new/tools/hotplug/Linux/vif-bridge 2008-08-29 11:29:38.000000000 +0100 +@@ -96,10 +96,6 @@ case "$command" in + ;; + esac + +-if [ "$type_if" = vif ]; then +- handle_iptable +-fi +- + log debug "Successful vif-bridge $command for $dev, bridge $bridge." + if [ "$type_if" = vif -a "$command" = "online" ] + then +--- xen-3.3.0-orig/tools/hotplug/Linux/xen-network-common.sh 2008-08-22 10:49:07.000000000 +0100 ++++ xen-3.3.0-new/tools/hotplug/Linux/xen-network-common.sh 2008-08-29 11:29:38.000000000 +0100 +@@ -99,6 +99,13 @@ create_bridge () { + brctl addbr ${bridge} + brctl stp ${bridge} off + brctl setfd ${bridge} 0 ++ # Setting these to zero stops guest<->LAN traffic ++ # traversing the bridge from hitting the *tables ++ # rulesets. guest<->host traffic still gets processed ++ # by the host's iptables rules so this isn't a hole ++ sysctl -q -w "net.bridge.bridge-nf-call-arptables=0" ++ sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0" ++ sysctl -q -w "net.bridge.bridge-nf-call-iptables=0" + fi + } + diff --git a/xen.spec b/xen.spec index 2c5aa95..3b9ad88 100644 --- a/xen.spec +++ b/xen.spec @@ -57,6 +57,7 @@ Patch8: xend.catchbt.patch Patch9: xend.empty.xml.patch Patch10: xend-pci-loop.patch Patch11: xen-dumpdir.patch +Patch12: xen-net-disable-iptables-on-bridge.patch # stubdom patch Patch100: grub-ext4-support.patch URL: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html @@ -211,6 +212,7 @@ This package provides bash-completion for xen. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %{__rm} -v tools/check/*.orig -- 2.44.0