[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Xen 3.4.2 networking help

  • To: "Simon Hobson" <linux@xxxxxxxxxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
  • Date: Wed, 27 Oct 2010 11:12:23 +0100
  • Cc:
  • Delivery-date: Wed, 27 Oct 2010 03:13:36 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: Act1vg5+GztQxPPPQcyb4JfRWrKlrAAAIV8+
  • Thread-topic: [Xen-users] Xen 3.4.2 networking help


>Yes, "-o ethx" is indeed a device match, but it works differently to
>physdev, which really only works well on fordwarded traffic
>(Although I think it is supposed to work on all bridged traffic)

I'll bow to your significantly greater knowledge in this area ! But
the penny drops now, is ethx a real port or a bridge port ? I'll
hazzard a guess filtering output to the bridge interface (eg br0)
would be handled differently to filtering output to a specific port
on the bridge.

>Can you please post a link to information about this? I can't find
>anything on Google about this.

This for starters :
>As described above, Shorewall bridge support requires the physdev
>match feature of Netfilter/iptables. Physdev match allows rules to
>be triggered based on the bridge port that a packet arrived on
>and/or the bridge port that a packet will be sent over. The latter
>has proved to be problematic because it requires that the evaluation
>of rules be deferred until the destination bridge port is known.
>This deferral has the unfortunate side effect that it makes IPSEC
>Netfilter filtration incompatible with bridges. To work around this
>problem, in kernel version 2.6.20 the Netfilter developers decided
>to remove the deferred processing in two cases:
>       *       When a packet being sent through a bridge entered the
>firewall on another interface and was being forwarded to the bridge.
>       *       When a packet originating on the firewall itself is
>being sent through a bridge.

Hmm that's interesting. I guess my general rule of thumb is that I only ever use physdev--in and physdev--out for traffic which is on the FORWARD chain (specifically for DomU which have public IPs assigned to them). I'm a little confused about what "When a packet being sent through a bridge entered the firewall on another interface and was being forwarded to the bridge." means. Does that sentence mean that traffic destined for the INPUT chain of the firewall?
I would agree that I don't think using physdev to specify a specific bridge port works for the OUTPUT chain. In my example above, "-o ethx" would be e.g. br0. I guess that since my Dom0 is not used by untrusted parties, then I don't have a need to filter by specific bridge (i.e. real) port.
Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.