rpms/xen/devel xen-network-iptables-bridge.patch, NONE, 1.1 xen.spec, 1.80, 1.81

Thu Feb 2 22:24:20 UTC 2006

Author: notting

Update of /cvs/dist/rpms/xen/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv18554

Modified Files:
	xen.spec 
Added Files:
	xen-network-iptables-bridge.patch 
Log Message:
*docs* Disable iptables/ip6tables/arptables for bridged packets when
we bring up a xen bridge. (#177794)

You can still restrict access to dom0 from domU via
the normal IP-based mechanisms, and all packets are passed to domU for
domU to filter.

Now, if you want to have dom0 firewalling domU, or you want to actually
do filtering on the bridge based on specific bridge ports (with the
physdev module), you'll have to turn this back on. But in those
cases, you're almost certainly writing your own firewall rules by
hand anyways.



xen-network-iptables-bridge.patch:
 network-bridge |    3 +++
 1 files changed, 3 insertions(+)

--- NEW FILE xen-network-iptables-bridge.patch ---
--- xen-3.0.0/tools/examples/network-bridge.foo	2006-02-02 17:18:41.000000000 -0500
+++ xen-3.0.0/tools/examples/network-bridge	2006-02-02 17:18:56.000000000 -0500
@@ -158,6 +158,9 @@
 
     # Don't create the bridge if it already exists.
     if ! brctl show | grep -q ${bridge} ; then
+	sysctl -w "net.bridge.bridge-nf-call-arptables=0"
+	sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
+	sysctl -w "net.bridge.bridge-nf-call-iptables=0"
 	brctl addbr ${bridge}
 	brctl stp ${bridge} off
 	brctl setfd ${bridge} 0


Index: xen.spec
===================================================================
RCS file: /cvs/dist/rpms/xen/devel/xen.spec,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- xen.spec	31 Jan 2006 17:34:40 -0000	1.80
+++ xen.spec	2 Feb 2006 22:24:14 -0000	1.81
@@ -5,7 +5,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 3.0
-Release: 0.20060130.fc5.2
+Release: 0.20060130.fc5.3
 Group:   Development/Libraries
 License: GPL
 URL:     http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -17,6 +17,7 @@
 Patch3: xen-dom0-minmem.patch
 Patch4: xen-compile-fixes.patch
 Patch5: xen-default-network.patch
+Patch6: xen-network-iptables-bridge.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
 BuildRequires: libX11-devel python-devel ghostscript tetex-latex 
@@ -48,6 +49,7 @@
 %patch3 -p1 -b .mem-min
 %patch4 -p1 -b .compile
 %patch5 -p1
+%patch6 -p1
 
 cp %{SOURCE2} .
 
@@ -142,7 +144,12 @@
 %dir %{_localstatedir}/run/xenstored
 
 %changelog
-* Tue Jan 31 2006 Bill Nottinghham <notting at redhat.com> 3.0-0.20060130.fc5.2
+* Thu Feb  2 2006 Bill Nottingham <notting at redhat.com> 3.0-0.20060130.fc5.3
+- disable iptables/ip6tables/arptables on bridging when bringing up a
+  Xen bridge. If complicated filtering is needed that uses this, custom
+  firewalls will be needed. (#177794)
+
+* Tue Jan 31 2006 Bill Nottingham <notting at redhat.com> 3.0-0.20060130.fc5.2
 - use the default network device, don't hardcode eth0
 
 * Tue Jan 31 2006  <sct at redhat.com> - 3.0-0.20060130.fc5.1


