/bugzilla3/ Bug 914 – /etc/xen/scripts/vif-bridge shouldn't call handle_iptable
Bug 914 - /etc/xen/scripts/vif-bridge shouldn't call handle_iptable
: /etc/xen/scripts/vif-bridge shouldn't call handle_iptable
Status: NEW
Product: Xen
Tools
: 3.0.4
: x86-64 Linux
: P2 major
Assigned To: Xen Bug List
:
:
:
  Show dependency treegraph
 
Reported: 2007-03-01 15:55 CST by Jarkko
Modified: 2008-07-11 13:49 CDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jarkko 2007-03-01 15:55:48 CST
/etc/xen/scripts/vif-bridge should not call "handle_iptable" (from
/etc/xen/scripts/vif-common.sh) which sets iptables forwarding rules because a
bridge is not a router. No iptables rules are needed for bridging (and iptables
forwarding rules don't even affect how the bridge works).

Having that "handle_iptable" call in the vif-bridge script is apparently a
simple coding mistake. This unnecessary call opens a security hole to the
firewall.

The handle_iptable call should be simply removed from
/etc/xen/scripts/vif-bridge.
Comment 1 Ferenc W√°gner 2008-07-11 13:49:33 CDT
Hi,

If you check the packet counters (sudo watch iptables -xvL FORWARD) you will
see that they increase with the traffic flow.  It's counterintuitive at first,
but can be explained: see
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html

So I say that the frob_iptable shell function in vif-common.sh does half the
work only: it enables traffic coming from a domU, but not traffic going to a
domU; that part is left at the mercy of the FORWARD chain policy (which is
generally ACCEPT, so things work nevertheless).

Please make the rule creation symmetric, and perhaps optional, too.

Thanks,
Feri.