On 2015-11-19 12:46, Juan Rossi wrote:
Hi
I am sending this due the change of behaviour in some parts, and
perhaps it needs some code amendments, unsure if the devel list is the
best place, fell free to point me to the right place for this. Let me
know if I should load a bug instead.
I'm tracking this at:
http://xen.crc.id.au/bugs/view.php?id=62
<snip>
diff --git a/tools/hotplug/Linux/vif-bridge
b/tools/hotplug/Linux/vif-bridge
index 3d72ca4..7fc6650 100644
--- a/tools/hotplug/Linux/vif-bridge
+++ b/tools/hotplug/Linux/vif-bridge
@@ -93,7 +93,16 @@ case "$command" in
;;
esac
-handle_iptable
+brcalliptables=$(sysctl -n net.bridge.bridge-nf-call-iptables
2>/dev/null)
+brcalliptables=${brcalliptables:-0}
+
+brcallip6tables=$(sysctl -n net.bridge.bridge-nf-call-ip6tables
2>/dev/null)
+brcallip6tables=${brcallip6tables:-0}
+
+if [ "$brcalliptables" -eq "1" -a "$brcallip6tables" -eq "1" ];
+then
+ handle_iptable
+fi
call_hooks vif post
I'm not a fan of this as it will also enable the call to
handle_iptable() if people create their own firewall rules - ie these
will be true - hence the rule will get loaded anyway.
My comment on the bug report is included below to hopefully get further
input from people:
Thinking about this further - as it is a change in behaviour for a point
release, I believe we should do the following:
1) Create a new option in /etc/xen/xl.conf - and default it to False.
2) Name an option "autocreate_firewall_files"
3) Evaluate autocreate_firewall_rules in vif-common.sh function
handle_iptable()
I suggest something like the following psuedo code:
if [ $autocreate_firewall_rules == 0 ]; then
return
fi
Happy to start debate on the correct way of handling this :)
Hopefully this can lead to some further debate.
--
Steven Haigh
Email: net...@crc.id.au
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
