Olivier Berger
2007-Jun-27 12:14 UTC
[Pkg-xen-devel] Bug#430778: xen-utils-common: Here's proposed workaround script
Package: xen-utils-common
Followup-For: Bug #430778
Here's a patch I made to have working rules here... feel free to
comment/adapt.
Hope this helps
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages xen-utils-common depends on:
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii udev 0.105-4 /dev/ and hotplug management daemo
xen-utils-common recommends no packages.
-- no debconf information
-------------- next part --------------
--- vif-common.sh.orig 2007-06-27 14:11:32.000000000 +0200
+++ vif-common.sh 2007-06-27 13:38:14.000000000 +0200
@@ -81,6 +81,35 @@
If you are using iptables, this may affect networking for guest domains."
}
+function frob2_iptable()
+{
+ if [ "$command" == "online" ]
+ then
+ local c="-A"
+ else
+ local c="-D"
+ fi
+
+#iptables -F FORWARD
+# iptables -A FORWARD -d 192.168.2.100/32 -m state --state ESTABLISHED,RELATED
-j ACCEPT
+# iptables -A FORWARD -s 192.168.2.100/32 -j ACCEPT
+# iptables -A FORWARD -j LOG
+
+ iptables "$c" FORWARD -d "$@" -m state --state
ESTABLISHED,RELATED -j ACCEPT \
+ 2>/dev/null ||
+ [ "$c" == "-D" ] ||
+ log err \
+ "iptables $c FORWARD -d $@ -m state --state ESTABLISHED,RELATED -j
ACCEPT failed.
+If you are using iptables, this may affect networking for guest domains."
+
+ iptables "$c" FORWARD -s "$@" -j ACCEPT \
+ 2>/dev/null ||
+ [ "$c" == "-D" ] ||
+ log err \
+ "iptables $c FORWARD -s $@ -j ACCEPT failed.
+If you are using iptables, this may affect networking for guest domains."
+}
+
##
# Add or remove the appropriate entries in the iptables. With antispoofing
@@ -105,7 +134,8 @@
local addr
for addr in "$ip"
do
- frob_iptable -s "$addr"
+# frob_iptable -s "$addr"
+ frob2_iptable "$addr"
done
# Always allow the domain to talk to a DHCP server.
Maybe Matching Threads
- Bug#430778: xen-utils-common: NAT scripts not generic enough, and made for DHCP ?
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
- Bug#698841: xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on
- Bug#422667: xen-utils-common: Init script outputs an error message while Xen is not installed any more
- Bug#430676: xen-utils-common: network-nat increates insecure nat POSTROUTING MASQUERADE ?
Wisdom of the Ancients
