Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Xen: Devel

physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.

 

 

Xen devel RSS feed   Index | Next | Previous | View Threaded


james.harper at bendigoit

Sep 2, 2010, 5:06 PM

Post #1 of 2 (1115 views)
Permalink
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.

I see lots and lots of " physdev match: using --physdev-out in the
OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not
supported anymore." in the kernel logs. You can turn off some of the
iptables stuff by turning off antispoofing but the stuff in
vif-common.sh is not under admin control.

Not tested, but I think something like this might be required to make it
work better:

---
/usr/local/src/xen-4.0-testing.hg/dist/install/etc/xen/scripts/vif-commo
n.sh 2010-08-25 22:05:47.000000000 +1000
+++ vif-common.sh 2010-09-03 10:05:03.316931684 +1000
@@ -66,6 +66,11 @@

frob_iptable()
{
+ if [ `cat /proc/sys/net/bridge/bridge-nf-call-iptables` != "1" ]
+ then
+ # bridge packets not going through iptables
+ return
+ fi
if [ "$command" == "online" ]
then
local c="-I"

James

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xensource.com/xen-devel


olaf at aepfle

Sep 3, 2010, 12:55 AM

Post #2 of 2 (1092 views)
Permalink
Re: physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. [In reply to]

On Fri, Sep 03, James Harper wrote:

> I see lots and lots of " physdev match: using --physdev-out in the
> OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not
> supported anymore." in the kernel logs. You can turn off some of the
> iptables stuff by turning off antispoofing but the stuff in
> vif-common.sh is not under admin control.
>
> Not tested, but I think something like this might be required to make it
> work better:
>
> ---
> /usr/local/src/xen-4.0-testing.hg/dist/install/etc/xen/scripts/vif-commo
> n.sh 2010-08-25 22:05:47.000000000 +1000
> +++ vif-common.sh 2010-09-03 10:05:03.316931684 +1000
> @@ -66,6 +66,11 @@
>
> frob_iptable()
> {
> + if [ `cat /proc/sys/net/bridge/bridge-nf-call-iptables` != "1" ]

Does that file always exist?
Better do "`${shell_code}`" to force an empty string if cat fails.

Olaf

_______________________________________________
Xen-devel mailing list
Xen-devel [at] lists
http://lists.xensource.com/xen-devel

Xen devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.