[libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem
Eric Blake
eblake at redhat.com
Wed Sep 22 18:25:52 UTC 2010
On 09/22/2010 12:19 PM, Stefan Berger wrote:
> On a recent installation of FC13, the filtering of IP/IPv6 using
> iptables/ip6tables traffic did not work since the proc filesystem
> entries /proc/sys/net/bridge/bridge-nf-call-iptables and
> /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and
> no traffic went into the FORWARD chain. The patch below makes sure that
> if iptables or ip6tables are being used by the nwfilter driver that a
> '1' is written into the relevant proc filesystem entry so that the
> traffic goes into the FORWARD chain.
Do we have to worry about a minimum kernel version where these /proc/sys
files are guaranteed to exist?
> virBufferVSprintf(buf,"%s -N " VIRT_IN_CHAIN CMD_SEPARATOR
> "%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR
> "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
> - "%s -N " HOST_IN_CHAIN CMD_SEPARATOR,
> + "%s -N " HOST_IN_CHAIN CMD_SEPARATOR
> + "echo 1 > %s" CMD_SEPARATOR,
Not introduced by this patch, but shouldn't you be checking individual
commands for appropriate exit status? And with this particular patch,
what happens when a successful exit status of 'echo 1 >file' masks an
earlier failure of the iptables_cmd?
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
More information about the libvir-list
mailing list