Olivier Berger
2007-Jun-27 12:14 UTC
[Pkg-xen-devel] Bug#430778: xen-utils-common: Here's proposed workaround script
Package: xen-utils-common Followup-For: Bug #430778 Here's a patch I made to have working rules here... feel free to comment/adapt. Hope this helps -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages xen-utils-common depends on: ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii udev 0.105-4 /dev/ and hotplug management daemo xen-utils-common recommends no packages. -- no debconf information -------------- next part -------------- --- vif-common.sh.orig 2007-06-27 14:11:32.000000000 +0200 +++ vif-common.sh 2007-06-27 13:38:14.000000000 +0200 @@ -81,6 +81,35 @@ If you are using iptables, this may affect networking for guest domains." } +function frob2_iptable() +{ + if [ "$command" == "online" ] + then + local c="-A" + else + local c="-D" + fi + +#iptables -F FORWARD +# iptables -A FORWARD -d 192.168.2.100/32 -m state --state ESTABLISHED,RELATED -j ACCEPT +# iptables -A FORWARD -s 192.168.2.100/32 -j ACCEPT +# iptables -A FORWARD -j LOG + + iptables "$c" FORWARD -d "$@" -m state --state ESTABLISHED,RELATED -j ACCEPT \ + 2>/dev/null || + [ "$c" == "-D" ] || + log err \ + "iptables $c FORWARD -d $@ -m state --state ESTABLISHED,RELATED -j ACCEPT failed. +If you are using iptables, this may affect networking for guest domains." + + iptables "$c" FORWARD -s "$@" -j ACCEPT \ + 2>/dev/null || + [ "$c" == "-D" ] || + log err \ + "iptables $c FORWARD -s $@ -j ACCEPT failed. +If you are using iptables, this may affect networking for guest domains." +} + ## # Add or remove the appropriate entries in the iptables. With antispoofing @@ -105,7 +134,8 @@ local addr for addr in "$ip" do - frob_iptable -s "$addr" +# frob_iptable -s "$addr" + frob2_iptable "$addr" done # Always allow the domain to talk to a DHCP server.
Reasonably Related Threads
- Bug#430778: xen-utils-common: NAT scripts not generic enough, and made for DHCP ?
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
- Bug#698841: xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on
- Bug#422667: xen-utils-common: Init script outputs an error message while Xen is not installed any more
- Bug#430676: xen-utils-common: network-nat increates insecure nat POSTROUTING MASQUERADE ?