tools/hotplug/Linux: Avoid dependency on iptables conntrack module.

Checking for RELATED,ESTABLISHED traffic being sent to a domU requires
connection tracking, which adds unexpected (to most users) load to
dom0. Heavily loaded systems can fill the conntrack tables.

So avoid this, be more liberal in what we accept, and leave it to domU
to police its own input.

Signed-off-by: Keir Fraser <keir@xen.org>
xen-unstable changeset:   22573:ff1b80ccecd9
xen-unstable date:        Fri Dec 17 16:12:37 2010 +0000


tools/hotplug/Linux: supply --physdev-is-bridged in iptables runes

With newer (pvops) kernels logs get flooded with this iptables
warning: physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore

Using the --physdev-is-bridged option prevents this.
See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10

Signed-off-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset:   22385:b0fe8260cefa
xen-unstable date:        Wed Nov 10 14:37:19 2010 +0000

1 files changed, 4 insertions, 4 deletions

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 44dd342acf..946b34ec4f 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -73,10 +73,10 @@ frob_iptable()
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null &&
-  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
-    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \
+    "$@" -j ACCEPT 2>/dev/null &&
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
+    -j ACCEPT 2>/dev/null
 
   if [ "$command" == "online" -a $? -ne 0 ]
   then