Checking for RELATED,ESTABLISHED traffic being sent to a domU requires
connection tracking, which adds unexpected (to most users) load to
dom0. Heavily loaded systems can fill the conntrack tables.
So avoid this, be more liberal in what we accept, and leave it to domU
to police its own input.
Signed-off-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 22573:
ff1b80ccecd9
xen-unstable date: Fri Dec 17 16:12:37 2010 +0000
tools/hotplug/Linux: supply --physdev-is-bridged in iptables runes
With newer (pvops) kernels logs get flooded with this iptables
warning: physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore
Using the --physdev-is-bridged option prevents this.
See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10
Signed-off-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 22385:
b0fe8260cefa
xen-unstable date: Wed Nov 10 14:37:19 2010 +0000
local c="-D"
fi
- iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
- 2>/dev/null &&
- iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
- --physdev-out "$vif" -j ACCEPT 2>/dev/null
+ iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \
+ "$@" -j ACCEPT 2>/dev/null &&
+ iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
+ -j ACCEPT 2>/dev/null
if [ "$command" == "online" -a $? -ne 0 ]
then
projects / people / vhanquez / xen.git / commitdiff