Snippets Groups Projects

Commit 167607f4 authored 1 week ago by David Johnson

Fix Xen expt bridge forwarding with bridge-nf-call-iptables on newer dom0 kernels.

Something changed at Xen 4.16/Linux 5.15, where if the
net.bridge.bridge-nf-call-iptables sysctl is enabled (which we
do so that we can firewall/nat the control net bridge ifaces),
iptables rules apply to the expt net bridges as well.  This
seems to be new behavior, because although we set the default
global FORWARD chain policy to DROP, and do not create
iptables rules for expt net bridges, in Xen 4.11/Linux 5.4,
the bridge forwarded ip packets just fine.  In Xen 4.16/Linux
5.15, this behavior has changed, and ip traffic is not
forwarded unless we add this basic allow-all forwarding rule
for each expt bridge.

parent b2e04f64

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 34 additions and 0 deletions

David Johnson @johnsond
mentioned in issue #705
· 1 week ago

mentioned in issue #705

mentioned in issue #705

Toggle commit list

Please register or to comment