[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Xen bridge + iptables FORWARD


  • To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: Martin Goldman <me@xxxxxxxxxxxx>
  • Date: Tue, 20 Jul 2010 10:16:57 -0400
  • Delivery-date: Tue, 20 Jul 2010 07:24:22 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi all,

I have Xen 3.2 newly installed on Lenny with network bridging configured. When I built my first VM, I found it couldn't connect to the Internet. This turned out to be because my dom0's iptables was configured to DROP all packets on the FORWARD chain (when I removed that, it started working).

The "Xen Networking" page on the wiki describes this exact situation (http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b) and suggests adding the following iptables rules:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0 -j ACCEPT
This, however, did not work for me. I have 2 questions about this:

1. The description of what this is supposed to do is "allowing packet forwarding (at the iptables level) between the external physical interface and the vifs for the guests". But in the diagram, it looks like external physical interface is peth0, not eth0. Am I misunderstanding something, or should eth0 in the rules above actually be peth0?

2. Just for fun, I tried changing eth0 in the rules above to peth0, based on the reasoning above. That actually seemed to work. But now my syslog is getting flooded with messages like this, which makes me wonder if I'm barking up the wrong tree entirely:
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.

To my surprise, I haven't been able to find any resource aside from the wiki page mentioned above that discusses the best practice for disabling forwarding on the dom0 except what's required for Xen bridging. If anybody has any thoughts on how to achieve this, it'd be much appreciated.

Best regards,
Martin Goldman
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.