Bug 230433
Summary: | /etc/xen/scripts/vif-bridge shouldn't call handle_iptable | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jarkko <jval> |
Component: | xen | Assignee: | Xen Maintainance List <xen-maint> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Jenner <mjenner> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 7 | CC: | bstein, katzj |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
URL: | http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=914 | ||
Whiteboard: | |||
Fixed In Version: | 3.1.2-2.fc7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-03-03 07:38:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jarkko
2007-02-28 20:36:55 UTC
The vif-bridge script comes from upstream xen-devel. In the context of Fedora there are 3 possibilites: a) no firewall rules: the extra rules don't allow any traffic which wasn't already allowed b) stanadrd Fedora firewall rules: there is a catch all 'REJECT' rule in the RH-Firewall-1-INPUT, which gets processed before the rules added by vir-bridge, so there's no issue there. c) custom user added firewall rules: if relying on chain policy to DROP/REJECT any non-matching packets then the vif-network rules will open up an undesirable channel. If there is an explicit DROP/REJECT rule, then this should prevent the vif-network rules matching So there is a flaw because of the vif-bridge script, but it only hits if the user has custom firewall rules. Will figure out a patch for the next update of Xen RPMs. The patch should just simply remove the handle_iptable line because iptables is not needed for bridging (and iptables forwarding rules don't even affect how the bridge works). From "Objectives of Fedora": "To do as much of the development work as possible directly in the upstream packages." So, here we go: http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=914 change QA contact This report targets FC6, which is now end-of-life. Please re-test against Fedora 7 or later, and if the issue persists, open a new bug. Thanks Actually this bug targets rawhide. And this issue was found in F7. I assume this has not been fixed because the upstream bug is still marked as NEW. (Which is weird by the way. Such an easy fix and they have not even taken the issue under work...) I'm reopening this bug because F7 is not end-of-life yet. I believe this is fixed in rawhide, but need to double-check. xen-3.1.2-2.fc7.src.rpm (latest xen in stable F7 updates): grep handle_iptable SOURCES/xen-net-bridge.patch -handle_iptable So yes, it is fixed in Fedora - even in F7. Closing the bug now. The "Fixed in version" in this case means "Fixed at least in version". :) |