We don't want the system's iptables filter/FORWARD
rules to apply to traffic on our bridge.
diff -up xen-3.2.0/tools/examples/xen-network-common.sh.disable-iptables-on-bridge xen-3.2.0/tools/examples/xen-network-common.sh
--- xen-3.2.0/tools/examples/xen-network-common.sh.disable-iptables-on-bridge 2008-01-16 18:34:59.000000000 +0000
+++ xen-3.2.0/tools/examples/xen-network-common.sh 2008-02-18 22:54:18.000000000 +0000
@@ -109,6 +109,13 @@ create_bridge () {
brctl addbr ${bridge}
brctl stp ${bridge} off
brctl setfd ${bridge} 0
+ # Setting these to zero stops guest<->LAN traffic
+ # traversing the bridge from hitting the *tables
+ # rulesets. guest<->host traffic still gets processed
+ # by the host's iptables rules so this isn't a hole
+ sysctl -q -w "net.bridge.bridge-nf-call-arptables=0"
+ sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0"
+ sysctl -q -w "net.bridge.bridge-nf-call-iptables=0"
fi
}
diff -up xen-3.2.0/tools/examples/vif-bridge.disable-iptables-on-bridge xen-3.2.0/tools/examples/vif-bridge
--- xen-3.2.0/tools/examples/vif-bridge.disable-iptables-on-bridge 2008-01-16 18:34:59.000000000 +0000
+++ xen-3.2.0/tools/examples/vif-bridge 2008-02-18 22:54:18.000000000 +0000
@@ -91,8 +91,6 @@ case "$command" in
;;
esac
-handle_iptable
-
log debug "Successful vif-bridge $command for $vif, bridge $bridge."
if [ "$command" == "online" ]
then