Ian Pratt
2006-Jul-11 17:51 UTC
RE: [Xen-devel] [PATCH] Re: network-bridge scriptbreaks networkconnectivity
> Luciano Miguel Ferreira Rocha <strange@nsk.no-ip.org> wrote: > > > >> The interaction with host firewall rules has always been a biticky, not> >> least because the xen network scripts typically run after thehost''s> >> firewall scripts (and rename the network device). I''ve neverunderstood> >> what happens to the firewall rules - do they stay with the old eth0(now> >> peth0) or do they now apply to the new device name? > > > > IIRC, interface names in iptables rules are symbolic, so eth0 meanswhat> > currently stands for eth0. > > Correct. Only the interface name is compared.Just to be doubly clear, do you mean that the name is compared at the time the rule is submitted, or at the time it is evaluated? I presume the former? In which case, it will end up referring to peth0 rather than eth0 because the rename happens after the rules are submitted. If the latter, is there a per-packet strcmp or is there some clever caching? Thanks, Ian _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Herbert Xu
2006-Jul-11 22:58 UTC
Re: [Xen-devel] [PATCH] Re: network-bridge scriptbreaks networkconnectivity
On Tue, Jul 11, 2006 at 06:51:57PM +0100, Ian Pratt wrote:> > Just to be doubly clear, do you mean that the name is compared at the > time the rule is submitted, or at the time it is evaluated?It''s the latter. See ip_packet_match in net/ipv4/netfilter/ip_tables.c for example. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel