[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] so close! just an iptables rule away.....?

Hi,
# iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
8216  809K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-in eth1 ! --physdev-out eth1
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match ! --physdev-in eth1 --physdev-out eth1
The big problem is in the FORWARD chain, the first rule in this chain says jump to the chain RH-Firewall-1-INPUT and then the subsequent rules are ignored.
So for instance in my example system my domU is on bridged interface vif3.0 in order add the ACCEPT iptables line *before* the jump to RH-Firewall I had to drop that rule and then insert it back in. 

iptables -D FORWARD -j RH-Firewall-1-INPUT
iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT
iptables -A FORWARD -j RH-Firewall-1-INPUT
Same basic approach for you, just make sure your rules come before the jump or drop that rule and then add it back in after the rule changes are done.
I modified my /etc/xen/scripts/vif-common.sh to do this for me. The patch appeared in my last post. 

-Mike

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.