rpms/xen/devel xen-network-iptables-bridge.patch, NONE, 1.1 xen.spec, 1.80, 1.81
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Feb 2 22:24:20 UTC 2006
Author: notting
Update of /cvs/dist/rpms/xen/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv18554
Modified Files:
xen.spec
Added Files:
xen-network-iptables-bridge.patch
Log Message:
*docs* Disable iptables/ip6tables/arptables for bridged packets when
we bring up a xen bridge. (#177794)
You can still restrict access to dom0 from domU via
the normal IP-based mechanisms, and all packets are passed to domU for
domU to filter.
Now, if you want to have dom0 firewalling domU, or you want to actually
do filtering on the bridge based on specific bridge ports (with the
physdev module), you'll have to turn this back on. But in those
cases, you're almost certainly writing your own firewall rules by
hand anyways.
xen-network-iptables-bridge.patch:
network-bridge | 3 +++
1 files changed, 3 insertions(+)
--- NEW FILE xen-network-iptables-bridge.patch ---
--- xen-3.0.0/tools/examples/network-bridge.foo 2006-02-02 17:18:41.000000000 -0500
+++ xen-3.0.0/tools/examples/network-bridge 2006-02-02 17:18:56.000000000 -0500
@@ -158,6 +158,9 @@
# Don't create the bridge if it already exists.
if ! brctl show | grep -q ${bridge} ; then
+ sysctl -w "net.bridge.bridge-nf-call-arptables=0"
+ sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
+ sysctl -w "net.bridge.bridge-nf-call-iptables=0"
brctl addbr ${bridge}
brctl stp ${bridge} off
brctl setfd ${bridge} 0
Index: xen.spec
===================================================================
RCS file: /cvs/dist/rpms/xen/devel/xen.spec,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- xen.spec 31 Jan 2006 17:34:40 -0000 1.80
+++ xen.spec 2 Feb 2006 22:24:14 -0000 1.81
@@ -5,7 +5,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 3.0
-Release: 0.20060130.fc5.2
+Release: 0.20060130.fc5.3
Group: Development/Libraries
License: GPL
URL: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -17,6 +17,7 @@
Patch3: xen-dom0-minmem.patch
Patch4: xen-compile-fixes.patch
Patch5: xen-default-network.patch
+Patch6: xen-network-iptables-bridge.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
BuildRequires: libX11-devel python-devel ghostscript tetex-latex
@@ -48,6 +49,7 @@
%patch3 -p1 -b .mem-min
%patch4 -p1 -b .compile
%patch5 -p1
+%patch6 -p1
cp %{SOURCE2} .
@@ -142,7 +144,12 @@
%dir %{_localstatedir}/run/xenstored
%changelog
-* Tue Jan 31 2006 Bill Nottinghham <notting at redhat.com> 3.0-0.20060130.fc5.2
+* Thu Feb 2 2006 Bill Nottingham <notting at redhat.com> 3.0-0.20060130.fc5.3
+- disable iptables/ip6tables/arptables on bridging when bringing up a
+ Xen bridge. If complicated filtering is needed that uses this, custom
+ firewalls will be needed. (#177794)
+
+* Tue Jan 31 2006 Bill Nottingham <notting at redhat.com> 3.0-0.20060130.fc5.2
- use the default network device, don't hardcode eth0
* Tue Jan 31 2006 <sct at redhat.com> - 3.0-0.20060130.fc5.1
More information about the fedora-cvs-commits
mailing list