[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Antispoof and HVM [SOLVED]

Solved the problem. In hvm domU case iptables rule for corresponding tap interface should be added: 

 :INPUT ACCEPT [3126:359694]
 :FORWARD DROP [974:187815]
 :OUTPUT ACCEPT [973:266082]

 -A FORWARD -m physdev  --physdev-in peth1 -j ACCEPT
 -A FORWARD -m physdev  --physdev-in vif60.0 -j ACCEPT
 -A FORWARD -m physdev  --physdev-in tap60.0 -j ACCEPT

Andrey ÐÐÑÐÑ:

Hello,

Does antispoof mechanism work in network-bridge with HVM domUs?
It seems no. There are the following iptables rules that were added after starting hvm domU with FreeBSD: 

:INPUT ACCEPT [3126:359694]
:FORWARD DROP [974:187815]
:OUTPUT ACCEPT [973:266082]

-A FORWARD -m physdev  --physdev-in peth1 -j ACCEPT
-A FORWARD -m physdev  --physdev-in vif60.0 -j ACCEPT
peth1 is the physical interface on domO which is connected to eth1 bridge, vif60.0 is domU interface. After starting hvm domU it is inacessible via network.
If I change default policy of FORWARD policy to accept everything is fine. With PV domUs current antispoof scheme works fine. 

Where is the problem?

With regards, Andrey

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.