[libvirt] [PATCH] nwfilter: report if ip(6)tables rules would not be effective
Stefan Berger
stefanb at linux.vnet.ibm.com
Fri Sep 24 16:10:27 UTC 2010
On 09/24/2010 12:01 PM, Eric Blake wrote:
> On 09/23/2010 09:53 AM, Stefan Berger wrote:
>> The patch below reports a warning in the log if the generated
>> ip(6)tables rules would not be effective due to the proc filesystem
>> entries
>>
>> /proc/sys/net/bridge/bridge-nf-call-iptables
>> /proc/sys/net/bridge/bridge-nf-call-ip6tables
>>
>> containing a '0'. The warning tells the user what to do. I am
>> rate-limiting the warning message to appear only every 10 seconds.
>
> ACK; looks like a reasonable way to warn about the issue, leaving the
> resolution in the user's hands to either update the kernel state or
> rewrite their nwfilter rules to not rely on iptables.
>
Pushed.
Stefan
More information about the libvir-list
mailing list