projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1761777) | patch
tools: dom0 iptables rule ordering change
authorKeir Fraser <keir.fraser@citrix.com>
Tue, 14 Apr 2009 10:20:02 +0000 (11:20 +0100)
committerKeir Fraser <keir.fraser@citrix.com>
Tue, 14 Apr 2009 10:20:02 +0000 (11:20 +0100)
commit891410cbc469d93c3c6bb102ac83ea2036c79983
treefa520f4b0ffd0264cb5cc42c7409036174e76c8dtree | snapshot
parent1761777e90bc9c386faeeaab2f3cb5c076ace86fcommit | diff
tools: dom0 iptables rule ordering change

This patch makes two small changes to dom0 iptables rules that permit
(and revoke) domU network access.

First:
Currently, a rule intended to allow domU network access is appended to
the end of the FORWARD chain, where it can be preempted by other =20
rules.  This patch causes the rule to be inserted at the top, where
it's more likely to have the intended effect.

Second:
In some cases (e.g. Fedora 9's default iptables configuration), the
first rule alone is insufficient to permit two-way packet flow.  This
patch adds a second rule to the FORWARD chain that permits replies to
domU network requests to reach the domU vif.

Signed-off-by: Chris Bookholt <hap10@tycho.ncsc.mil>
tools/hotplug/Linux/vif-common.sh diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.