|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] conntrack not working as soon as network-bridge is renamed?
Hi -Since I have upgraded from xen 3.0.2 to 3.0.3, I cannot get conntrack working on dom0 as soon as network-bridge is not named "xenbr0". Conntrack and everything related to netfiler are build in the kernel (not as module). Netfilter seems to work fine from any domU. In xend-config.sxp I have the following: (network-script 'network-bridge bridge=xenbrE') (vif-script vif-bridge) (dom0-min-mem 128) (dom0-cpus 0) I have a very basic firewall script setup on dom0: iptables -F iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I have observed that:- ping from dom0 to the rest of the world doesn't work: the icmp-reply frames are dropped somewhere... - ssh from the rest of the world to the dom0 does not work. But:- if I add an "--icmp-type echo-reply" ACCEPT iptables rule, I can ping to anywhere from the dom0. - if I remove "-m state --state NEW" from the SSH rule, then I can connect to the SSH server of the dom0. - if I donnot rename xenbr0 into xenbrD in xend-config.sxp, then everything is working fine again. I wonder why this setup was OK with Xen 3.0.2 I have used for months before and not anymore with v3.0.3. Any idea? King regards, -- Olivier Le Cam Département des Technologies de l'Information et de la Communication CRDP de l'académie de Versailles _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |