xen-net-disable-iptables-on-bridge.patch

   1 --- xen-4.1.0-orig/tools/hotplug/Linux/vif-bridge       2008-08-22 10:49:07.000000000 +0100
   2 +++ xen-4.1.0-new/tools/hotplug/Linux/vif-bridge        2008-08-29 11:29:38.000000000 +0100
   3 @@ -96,10 +96,6 @@ case "$command" in
   4          ;;
   5  esac
   6
   7 -if [ "$type_if" = vif ]; then
   8 -    handle_iptable
   9 -fi
  10 -
  11  log debug "Successful vif-bridge $command for $dev, bridge $bridge."
  12  if [ "$type_if" = vif -a "$command" = "online" ]
  13  then
  14 --- xen-3.3.0-orig/tools/hotplug/Linux/xen-network-common.sh    2008-08-22 10:49:07.000000000 +0100
  15 +++ xen-3.3.0-new/tools/hotplug/Linux/xen-network-common.sh     2008-08-29 11:29:38.000000000 +0100
  16 @@ -99,6 +99,13 @@ create_bridge () {
  17         brctl addbr ${bridge}
  18         brctl stp ${bridge} off
  19         brctl setfd ${bridge} 0
  20 +       # Setting these to zero stops guest<->LAN traffic
  21 +       # traversing the bridge from hitting the *tables
  22 +       # rulesets. guest<->host traffic still gets processed
  23 +       # by the host's iptables rules so this isn't a hole
  24 +       sysctl -q -w "net.bridge.bridge-nf-call-arptables=0"
  25 +       sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0"
  26 +       sysctl -q -w "net.bridge.bridge-nf-call-iptables=0"
  27      fi
  28  }
  29