diff options
| author | Keir Fraser <keir@xen.org> | 2010-12-17 16:12:37 +0000 |
|---|---|---|
| committer | Keir Fraser <keir@xen.org> | 2010-12-17 16:12:37 +0000 |
| commit | 26637cd3206acc7cc51d509427b29b0d4fe6a841 (patch) | |
| tree | a84fb6a433f7944f253da1e5ed13eb21af024a20 /tools/hotplug | |
| parent | 999fc9bc6cd30ad80c8467aea784fbad9441e8d2 (diff) | |
| download | xen-26637cd3206acc7cc51d509427b29b0d4fe6a841.tar.gz xen-26637cd3206acc7cc51d509427b29b0d4fe6a841.tar.bz2 xen-26637cd3206acc7cc51d509427b29b0d4fe6a841.zip | |
tools/hotplug/Linux: Avoid dependency on iptables conntrack module.
Checking for RELATED,ESTABLISHED traffic being sent to a domU requires
connection tracking, which adds unexpected (to most users) load to
dom0. Heavily loaded systems can fill the conntrack tables.
So avoid this, be more liberal in what we accept, and leave it to domU
to police its own input.
Signed-off-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'tools/hotplug')
| -rw-r--r-- | tools/hotplug/Linux/vif-common.sh | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh index 05ee712fd9..76ad0f8c76 100644 --- a/tools/hotplug/Linux/vif-common.sh +++ b/tools/hotplug/Linux/vif-common.sh @@ -105,10 +105,10 @@ frob_iptable() local c="-D" fi - iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" "$@" -j ACCEPT \ - 2>/dev/null && - iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ - --physdev-is-bridged --physdev-out "$vif" -j ACCEPT 2>/dev/null + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \ + "$@" -j ACCEPT 2>/dev/null && + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \ + -j ACCEPT 2>/dev/null if [ "$command" == "online" -a $? -ne 0 ] then |