packages: xen/xen.spec, xen/xen-net-disable-iptables-on-bridge.patch (NEW)=?UTF-8?Q?=20?=...

Sat Mar 3 10:42:17 CET 2012

Author: baggins                      Date: Sat Mar  3 09:42:17 2012 GMT
Module: packages                      Tag: HEAD
---- Log message:
- disable iptables on bridge, rationale here:
  https://bugzilla.redhat.com/show_bug.cgi?id=512206
  http://patchwork.ozlabs.org/patch/29319/
  http://lists.gnu.org/archive/html/qemu-devel/2009-07/msg01592.html

---- Files affected:
packages/xen:
   xen.spec (1.98 -> 1.99) , xen-net-disable-iptables-on-bridge.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/xen/xen.spec
diff -u packages/xen/xen.spec:1.98 packages/xen/xen.spec:1.99

--- packages/xen/xen.spec:1.98	Wed Feb 29 22:10:03 2012
+++ packages/xen/xen.spec	Sat Mar  3 10:42:12 2012
@@ -58,6 +58,7 @@
 Patch9:		xend.empty.xml.patch
 Patch10:	xend-pci-loop.patch
 Patch11:	xen-dumpdir.patch
+Patch12:	xen-net-disable-iptables-on-bridge.patch
 # stubdom patch
 Patch100:	grub-ext4-support.patch
 URL:		http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -212,6 +213,7 @@
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 %{__rm} -v tools/check/*.orig
 
@@ -440,6 +442,12 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.99  2012/03/03 09:42:12  baggins
+- disable iptables on bridge, rationale here:
+  https://bugzilla.redhat.com/show_bug.cgi?id=512206
+  http://patchwork.ozlabs.org/patch/29319/
+  http://lists.gnu.org/archive/html/qemu-devel/2009-07/msg01592.html
+
 Revision 1.98  2012/02/29 21:10:03  baggins
 - blktapctrl is started by xend, consider reworking xend
 - verbose files to avoid packaging errors

================================================================
Index: packages/xen/xen-net-disable-iptables-on-bridge.patch
diff -u /dev/null packages/xen/xen-net-disable-iptables-on-bridge.patch:1.1
--- /dev/null	Sat Mar  3 10:42:17 2012
+++ packages/xen/xen-net-disable-iptables-on-bridge.patch	Sat Mar  3 10:42:12 2012
@@ -0,0 +1,29 @@
+--- xen-4.1.0-orig/tools/hotplug/Linux/vif-bridge	2008-08-22 10:49:07.000000000 +0100
++++ xen-4.1.0-new/tools/hotplug/Linux/vif-bridge	2008-08-29 11:29:38.000000000 +0100
+@@ -96,10 +96,6 @@ case "$command" in
+         ;;
+ esac
+ 
+-if [ "$type_if" = vif ]; then
+-    handle_iptable
+-fi
+-
+ log debug "Successful vif-bridge $command for $dev, bridge $bridge."
+ if [ "$type_if" = vif -a "$command" = "online" ]
+ then
+--- xen-3.3.0-orig/tools/hotplug/Linux/xen-network-common.sh	2008-08-22 10:49:07.000000000 +0100
++++ xen-3.3.0-new/tools/hotplug/Linux/xen-network-common.sh	2008-08-29 11:29:38.000000000 +0100
+@@ -99,6 +99,13 @@ create_bridge () {
+ 	brctl addbr ${bridge}
+ 	brctl stp ${bridge} off
+ 	brctl setfd ${bridge} 0
++	# Setting these to zero stops guest<->LAN traffic
++	# traversing the bridge from hitting the *tables
++	# rulesets. guest<->host traffic still gets processed
++	# by the host's iptables rules so this isn't a hole
++	sysctl -q -w "net.bridge.bridge-nf-call-arptables=0"
++	sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0"
++	sysctl -q -w "net.bridge.bridge-nf-call-iptables=0"
+     fi
+ }
+ 
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/xen/xen.spec?r1=1.98&r2=1.99&f=u

