/bugzilla3/ Bug 914 – /etc/xen/scripts/vif-bridge shouldn't call handle_iptable
Bug 914 - /etc/xen/scripts/vif-bridge shouldn't call handle_iptable
: /etc/xen/scripts/vif-bridge shouldn't call handle_iptable
Status: NEW
Product: Xen
: 3.0.4
: x86-64 Linux
: P2 major
Assigned To: Xen Bug List
  Show dependency treegraph
Reported: 2007-03-01 15:55 CST by Jarkko
Modified: 2008-07-11 13:49 CDT (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jarkko 2007-03-01 15:55:48 CST
/etc/xen/scripts/vif-bridge should not call "handle_iptable" (from
/etc/xen/scripts/vif-common.sh) which sets iptables forwarding rules because a
bridge is not a router. No iptables rules are needed for bridging (and iptables
forwarding rules don't even affect how the bridge works).

Having that "handle_iptable" call in the vif-bridge script is apparently a
simple coding mistake. This unnecessary call opens a security hole to the

The handle_iptable call should be simply removed from
Comment 1 Ferenc W√°gner 2008-07-11 13:49:33 CDT

If you check the packet counters (sudo watch iptables -xvL FORWARD) you will
see that they increase with the traffic flow.  It's counterintuitive at first,
but can be explained: see

So I say that the frob_iptable shell function in vif-common.sh does half the
work only: it enables traffic coming from a domU, but not traffic going to a
domU; that part is left at the mercy of the FORWARD chain policy (which is
generally ACCEPT, so things work nevertheless).

Please make the rule creation symmetric, and perhaps optional, too.