[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Xen bridge acting weird -- fixed

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Matthew Palmer <mpalmer@xxxxxxxxxxx>
Date: Thu, 3 Nov 2005 12:49:20 +1100
Delivery-date: Thu, 03 Nov 2005 01:47:09 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>

[Threading was done manually; I hope it worked]

I think I've fixed the problem, since I've just been trying to do the same
bridge-fiddling on another (simpler) setup, and I think it's a problem with
the antispoof protection.  One of the things it does on the dom0 is:

iptables -P FORWARD DROP

which naturally makes IP packets much harder to get from place to place. 
Unfortunately, the associated rule to allow certain packets fails on my
system with a "iptables: No chain/target/match by that name", so the network
on my dom0 effectively goes "none shall pass" and it's game over.  The
reason, of course, that ARP still runs through is because it's not IP, and
therefore iptables has nothing to do with it.

The fix?  Run your network scripts with antispoof=no, or clear up the
forward policy stuff with:

iptables -P FORWARD ACCEPT

Of course, if you have any sort of actual firewalling happening on your
machines, this will probably not be a wise move, but on simple systems with
normally-permissive networking, this works fine.

- Matt

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] Xen bridge acting weird
  - From: Matthew Palmer

Prev by Date: [Xen-users] Xen bridge acting weird
Next by Date: [Xen-users] Xen driver domain...character device?
Previous by thread: [Xen-users] Xen bridge acting weird
Next by thread: [Xen-users] Xen driver domain...character device?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.