[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen and IPtables

  • To: Xen List <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
  • Date: Thu, 30 Apr 2009 19:27:50 +0700
  • Delivery-date: Thu, 30 Apr 2009 05:28:35 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
On Thu, Apr 30, 2009 at 3:27 PM, James Clemence
<jamesvclemence@xxxxxxxxxxxxxx> wrote:
> I have been able to filter for the domUs via the forward chain taking out
> the packets to each domU to a specific chain for that domU, and then handle
> the packets with ACCEPT/DROP, as per usual.
>
> -m physdev  --physdev-in peth0 --physdev-out vif${DOMUID}.0 -j <DOMU chain>
>
> However, I blanked on where to get hold of the traffic to the dom0? Does
> that go to FORWARD too? Or does it simply hit INPUT?

Shouldn't that be basic iptables stuff?
If dom0 is not a router, INPUT should be enough. If it's a firewall or
router, packages going through dom0 will be on FORWARD.

As a side note, if you want to prevent iptables managing bridge
traffic altogether you might want to use

net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

on /etc/sysctl.conf, and run "sysctl -p" afterwards.

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.