Author: baggins Date: Sat Mar 3 09:42:17 2012 GMT Module: packages Tag: HEAD ---- Log message: - disable iptables on bridge, rationale here: https://bugzilla.redhat.com/show_bug.cgi?id=512206 http://patchwork.ozlabs.org/patch/29319/ http://lists.gnu.org/archive/html/qemu-devel/2009-07/msg01592.html
---- Files affected: packages/xen: xen.spec (1.98 -> 1.99) , xen-net-disable-iptables-on-bridge.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/xen/xen.spec diff -u packages/xen/xen.spec:1.98 packages/xen/xen.spec:1.99 --- packages/xen/xen.spec:1.98 Wed Feb 29 22:10:03 2012 +++ packages/xen/xen.spec Sat Mar 3 10:42:12 2012 @@ -58,6 +58,7 @@ Patch9: xend.empty.xml.patch Patch10: xend-pci-loop.patch Patch11: xen-dumpdir.patch +Patch12: xen-net-disable-iptables-on-bridge.patch # stubdom patch Patch100: grub-ext4-support.patch URL: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html @@ -212,6 +213,7 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %{__rm} -v tools/check/*.orig @@ -440,6 +442,12 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.99 2012/03/03 09:42:12 baggins +- disable iptables on bridge, rationale here: + https://bugzilla.redhat.com/show_bug.cgi?id=512206 + http://patchwork.ozlabs.org/patch/29319/ + http://lists.gnu.org/archive/html/qemu-devel/2009-07/msg01592.html + Revision 1.98 2012/02/29 21:10:03 baggins - blktapctrl is started by xend, consider reworking xend - verbose files to avoid packaging errors ================================================================ Index: packages/xen/xen-net-disable-iptables-on-bridge.patch diff -u /dev/null packages/xen/xen-net-disable-iptables-on-bridge.patch:1.1 --- /dev/null Sat Mar 3 10:42:17 2012 +++ packages/xen/xen-net-disable-iptables-on-bridge.patch Sat Mar 3 10:42:12 2012 @@ -0,0 +1,29 @@ +--- xen-4.1.0-orig/tools/hotplug/Linux/vif-bridge 2008-08-22 10:49:07.000000000 +0100 ++++ xen-4.1.0-new/tools/hotplug/Linux/vif-bridge 2008-08-29 11:29:38.000000000 +0100 +@@ -96,10 +96,6 @@ case "$command" in + ;; + esac + +-if [ "$type_if" = vif ]; then +- handle_iptable +-fi +- + log debug "Successful vif-bridge $command for $dev, bridge $bridge." + if [ "$type_if" = vif -a "$command" = "online" ] + then +--- xen-3.3.0-orig/tools/hotplug/Linux/xen-network-common.sh 2008-08-22 10:49:07.000000000 +0100 ++++ xen-3.3.0-new/tools/hotplug/Linux/xen-network-common.sh 2008-08-29 11:29:38.000000000 +0100 +@@ -99,6 +99,13 @@ create_bridge () { + brctl addbr ${bridge} + brctl stp ${bridge} off + brctl setfd ${bridge} 0 ++ # Setting these to zero stops guest<->LAN traffic ++ # traversing the bridge from hitting the *tables ++ # rulesets. guest<->host traffic still gets processed ++ # by the host's iptables rules so this isn't a hole ++ sysctl -q -w "net.bridge.bridge-nf-call-arptables=0" ++ sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0" ++ sysctl -q -w "net.bridge.bridge-nf-call-iptables=0" + fi + } + ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/xen/xen.spec?r1=1.98&r2=1.99&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
