From 26637cd3206acc7cc51d509427b29b0d4fe6a841 Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Fri, 17 Dec 2010 16:12:37 +0000 Subject: [PATCH] tools/hotplug/Linux: Avoid dependency on iptables conntrack module. Checking for RELATED,ESTABLISHED traffic being sent to a domU requires connection tracking, which adds unexpected (to most users) load to dom0. Heavily loaded systems can fill the conntrack tables. So avoid this, be more liberal in what we accept, and leave it to domU to police its own input. Signed-off-by: Keir Fraser --- tools/hotplug/Linux/vif-common.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh index 05ee712fd9..76ad0f8c76 100644 --- a/tools/hotplug/Linux/vif-common.sh +++ b/tools/hotplug/Linux/vif-common.sh @@ -105,10 +105,10 @@ frob_iptable() local c="-D" fi - iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" "$@" -j ACCEPT \ - 2>/dev/null && - iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ - --physdev-is-bridged --physdev-out "$vif" -j ACCEPT 2>/dev/null + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \ + "$@" -j ACCEPT 2>/dev/null && + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \ + -j ACCEPT 2>/dev/null if [ "$command" == "online" -a $? -ne 0 ] then -- 2.30.2