[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] vif-common.sh and iptables

Hey everyone,

I have a question about vif-common.sh. I run multiple bridges attached
on dummy interfaces, which allow me to put guests in seperate subnets
(routed through the dom0). As you might expect I already have quite
extensive iptables scripts to accomidate this kind of routing.

I was just hoping someone on this list can confirm, that I understand
what the iptables lines in vif-common.sh actually do:

> iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
>   2>/dev/null &&
> iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev
> \
>   --physdev-out "$vif" -j ACCEPT 2>/dev/null

>From what i can tell the goal of these lines is to allow networking even
if the default FORWARD policy is DENY, am I right? Is there any
additional side-effect if I comment these lines out in vim-common.sh,
that I'm not considering?


Dmitry Nedospasov <dmitry@xxxxxxxxx> -- Twitter: @nedos
Web: http://nedos.net -- Github: http://github.com/nedos

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.