From mboxrd@z Thu Jan 1 00:00:00 1970 From: Olaf Hering Subject: Re: physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. Date: Fri, 3 Sep 2010 09:55:35 +0200 Message-ID: <20100903075535.GA24488@aepfle.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: James Harper Cc: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org On Fri, Sep 03, James Harper wrote: > I see lots and lots of " physdev match: using --physdev-out in the > OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not > supported anymore." in the kernel logs. You can turn off some of the > iptables stuff by turning off antispoofing but the stuff in > vif-common.sh is not under admin control. > > Not tested, but I think something like this might be required to make it > work better: > > --- > /usr/local/src/xen-4.0-testing.hg/dist/install/etc/xen/scripts/vif-commo > n.sh 2010-08-25 22:05:47.000000000 +1000 > +++ vif-common.sh 2010-09-03 10:05:03.316931684 +1000 > @@ -66,6 +66,11 @@ > > frob_iptable() > { > + if [ `cat /proc/sys/net/bridge/bridge-nf-call-iptables` != "1" ] Does that file always exist? Better do "`${shell_code}`" to force an empty string if cat fails. Olaf