tools/hotplug/Linux: Avoid dependency on iptables conntrack module.

Checking for RELATED,ESTABLISHED traffic being sent to a domU requires
connection tracking, which adds unexpected (to most users) load to
dom0. Heavily loaded systems can fill the conntrack tables.

So avoid this, be more liberal in what we accept, and leave it to domU
to police its own input.

Signed-off-by: Keir Fraser <keir@xen.org>

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 05ee712fd9bca4d768122646ffae265964c6a433..76ad0f8c76a5ff1d7c33028374c6c43e5b510ba1 100644 (file)
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -105,10 +105,10 @@ frob_iptable()
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null &&
-  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
-    --physdev-is-bridged --physdev-out "$vif" -j ACCEPT 2>/dev/null
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \
+    "$@" -j ACCEPT 2>/dev/null &&
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
+    -j ACCEPT 2>/dev/null
 
   if [ "$command" == "online" -a $? -ne 0 ]
   then