[libvirt] [PATCH] fixed xt_physdev warning when defining ip(6)tables rules
--- src/nwfilter/nwfilter_ebiptables_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 4fec52d..db2276c 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -166,7 +166,7 @@ static const char ebiptables_script_set_ifs[] = snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname) #define PHYSDEV_IN "--physdev-in" -#define PHYSDEV_OUT "--physdev-out" +#define PHYSDEV_OUT "--physdev-is-bridged --physdev-out" static const char *m_state_out_str = "-m state --state NEW,ESTABLISHED"; static const char *m_state_in_str = "-m state --state ESTABLISHED"; -- 1.7.11.5
On 01/17/2013 04:24 AM, Reinier Schoof wrote:
--- src/nwfilter/nwfilter_ebiptables_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 4fec52d..db2276c 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -166,7 +166,7 @@ static const char ebiptables_script_set_ifs[] = snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)
#define PHYSDEV_IN "--physdev-in" -#define PHYSDEV_OUT "--physdev-out" +#define PHYSDEV_OUT "--physdev-is-bridged --physdev-out"
Stefan ACKd in the other thread, so I've gone ahead and pushed this, after amending the commit message to include details from the other thread. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Op 17-1-2013 19:33, Eric Blake schreef:
On 01/17/2013 04:24 AM, Reinier Schoof wrote:
--- src/nwfilter/nwfilter_ebiptables_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 4fec52d..db2276c 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -166,7 +166,7 @@ static const char ebiptables_script_set_ifs[] = snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)
#define PHYSDEV_IN "--physdev-in" -#define PHYSDEV_OUT "--physdev-out" +#define PHYSDEV_OUT "--physdev-is-bridged --physdev-out"
Stefan ACKd in the other thread, so I've gone ahead and pushed this, after amending the commit message to include details from the other thread.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Thanks for committing the patch! On a side note, please be aware that when upgrading to a libvirt version with this patch included, libvirt will not be able to remove the earlier ip(6)tables rules without the '--physdev-is-bridged' addition. When restarting libvirt, it will look for rules that match with '--physdev-is-bridged' and since that wasn't there before, you'll end up with a duplicate/malfunctioning ruleset. You'll have to remove these rules/chains manually. -- TransIP BV | https://www.transip.nl/
On 01/18/2013 12:44 AM, Reinier Schoof wrote:
Op 17-1-2013 19:33, Eric Blake schreef:
On 01/17/2013 04:24 AM, Reinier Schoof wrote:
--- src/nwfilter/nwfilter_ebiptables_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
On a side note, please be aware that when upgrading to a libvirt version with this patch included, libvirt will not be able to remove the earlier ip(6)tables rules without the '--physdev-is-bridged' addition. When restarting libvirt, it will look for rules that match with '--physdev-is-bridged' and since that wasn't there before, you'll end up with a duplicate/malfunctioning ruleset. You'll have to remove these rules/chains manually.
Can we be nicer than that? That is, can we teach the removal code to recognize rules from the older libvirt, so that upgrades are smooth? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (2)
-
Eric Blake -
Reinier Schoof