On 09/22/2010 12:19 PM, Stefan Berger wrote:
On a recent installation of FC13, the filtering of IP/IPv6 using iptables/ip6tables traffic did not work since the proc filesystem entries /proc/sys/net/bridge/bridge-nf-call-iptables and /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and no traffic went into the FORWARD chain. The patch below makes sure that if iptables or ip6tables are being used by the nwfilter driver that a '1' is written into the relevant proc filesystem entry so that the traffic goes into the FORWARD chain.
Do we have to worry about a minimum kernel version where these /proc/sys files are guaranteed to exist?
virBufferVSprintf(buf,"%s -N " VIRT_IN_CHAIN CMD_SEPARATOR "%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR - "%s -N " HOST_IN_CHAIN CMD_SEPARATOR, + "%s -N " HOST_IN_CHAIN CMD_SEPARATOR + "echo 1 > %s" CMD_SEPARATOR,
Not introduced by this patch, but shouldn't you be checking individual commands for appropriate exit status? And with this particular patch, what happens when a successful exit status of 'echo 1 >file' masks an earlier failure of the iptables_cmd?
-- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list