physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.

All of lore.kernel.org
 help / color / mirror / Atom feed

* physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.
@ 2010-09-03  0:06 James Harper
  2010-09-03  7:55 ` Olaf Hering
  0 siblings, 1 reply; 2+ messages in thread
From: James Harper @ 2010-09-03  0:06 UTC (permalink / raw)
  To: xen-devel

I see lots and lots of " physdev match: using --physdev-out in the
OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not
supported anymore." in the kernel logs. You can turn off some of the
iptables stuff by turning off antispoofing but the stuff in
vif-common.sh is not under admin control.

Not tested, but I think something like this might be required to make it
work better:

---
/usr/local/src/xen-4.0-testing.hg/dist/install/etc/xen/scripts/vif-commo
n.sh        2010-08-25 22:05:47.000000000 +1000
+++ vif-common.sh       2010-09-03 10:05:03.316931684 +1000
@@ -66,6 +66,11 @@

 frob_iptable()
 {
+  if [ `cat /proc/sys/net/bridge/bridge-nf-call-iptables` != "1" ]
+  then
+    # bridge packets not going through iptables
+    return
+  fi
   if [ "$command" == "online" ]
   then
     local c="-I"

James

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.
  2010-09-03  0:06 physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore James Harper
@ 2010-09-03  7:55 ` Olaf Hering
  0 siblings, 0 replies; 2+ messages in thread
From: Olaf Hering @ 2010-09-03  7:55 UTC (permalink / raw)
  To: James Harper; +Cc: xen-devel

On Fri, Sep 03, James Harper wrote:

> I see lots and lots of " physdev match: using --physdev-out in the
> OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not
> supported anymore." in the kernel logs. You can turn off some of the
> iptables stuff by turning off antispoofing but the stuff in
> vif-common.sh is not under admin control.
> 
> Not tested, but I think something like this might be required to make it
> work better:
> 
> ---
> /usr/local/src/xen-4.0-testing.hg/dist/install/etc/xen/scripts/vif-commo
> n.sh        2010-08-25 22:05:47.000000000 +1000
> +++ vif-common.sh       2010-09-03 10:05:03.316931684 +1000
> @@ -66,6 +66,11 @@
> 
>  frob_iptable()
>  {
> +  if [ `cat /proc/sys/net/bridge/bridge-nf-call-iptables` != "1" ]

Does that file always exist?
Better do "`${shell_code}`" to force an empty string if cat fails.

Olaf

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-09-03  7:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-03  0:06 physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore James Harper
2010-09-03  7:55 ` Olaf Hering

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.