[Pkg-xen-devel] Bug#571634: [xen-utils-common] using --physdev-out in the OUTPUT, FORWARD and POSTROUTING

Sebastián Cruz scruz at xoomcode.com
Tue Mar 23 15:25:21 UTC 2010 

Package: xen-utils-common
Version: 3.4.2-3

--- Please enter the report below this line. ---

After several tests and many hours of investigation I found out that
this is not a bug.

The iptables rules that triggers the message is found in
/etc/xen/scripts/vif-common.sh [1], but as the syslog message clearly
indicates this rule works perfectly when the traffic is bridged.
Moreover, those rules are intended for setups where the default policy
for FORWARD is other than ACCEPT.

I think that message is a bit misleading, but if it's to be considered
a bug it should be reported against iptables. AFAIK iptables isn't
capable of guessing if the traffic is bridged or routed so it has to
show the message anyway. And if it's routed the rule is inserted
without failure, it just never matches anything.

My problem with the DomU not forwarding traffic is still unresolved,
but now I'm sure it has nothing to do with this.

I apologize for the noise. Regards.

[1] iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
    2>/dev/null &&
    iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
    --physdev-out "$vif" -j ACCEPT 2>/dev/null


--- System information. ---
Architecture: amd64
Kernel:       Linux 2.6.32-4-xen-amd64

Debian Release: squeeze/sid
  900 testing         security.debian.org 
  900 testing         ftp.debian.org 
  600 unstable        ftp.debian.org 
  500 testing         www.debian-multimedia.org 
  500 stable          dl.google.com 
  100 experimental    ftp.debian.org 

--- Package information. ---
Depends             (Version) | Installed
=============================-+-===========
lsb-base           (>= 3.0-6) | 3.2-23
udev               (>> 0.060) | 151-2
xenstore-utils                | 3.4.3~rc3-1


Package's Recommends field is empty.

Package's Suggests field is empty.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20100323/851b935f/attachment.pgp>

More information about the Pkg-xen-devel mailing list