Bugzilla – Bug 914
/etc/xen/scripts/vif-bridge shouldn't call handle_iptable
Last modified: 2008-07-11 13:49:33 CDT
/etc/xen/scripts/vif-bridge should not call "handle_iptable" (from
/etc/xen/scripts/vif-common.sh) which sets iptables forwarding rules because a
bridge is not a router. No iptables rules are needed for bridging (and iptables
forwarding rules don't even affect how the bridge works).
Having that "handle_iptable" call in the vif-bridge script is apparently a
simple coding mistake. This unnecessary call opens a security hole to the
The handle_iptable call should be simply removed from
If you check the packet counters (sudo watch iptables -xvL FORWARD) you will
see that they increase with the traffic flow. It's counterintuitive at first,
but can be explained: see
So I say that the frob_iptable shell function in vif-common.sh does half the
work only: it enables traffic coming from a domU, but not traffic going to a
domU; that part is left at the mercy of the FORWARD chain policy (which is
generally ACCEPT, so things work nevertheless).
Please make the rule creation symmetric, and perhaps optional, too.