[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] vif-common.sh and iptables

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Dmitry Nedospasov <dmitry@xxxxxxxxx>
Date: Tue, 26 Apr 2011 13:06:25 +0200
Delivery-date: Tue, 26 Apr 2011 04:07:43 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Hey everyone,

I have a question about vif-common.sh. I run multiple bridges attached
on dummy interfaces, which allow me to put guests in seperate subnets
(routed through the dom0). As you might expect I already have quite
extensive iptables scripts to accomidate this kind of routing.

I was just hoping someone on this list can confirm, that I understand
what the iptables lines in vif-common.sh actually do:

> iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
>   2>/dev/null &&
> iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev
> \
>   --physdev-out "$vif" -j ACCEPT 2>/dev/null

>From what i can tell the goal of these lines is to allow networking even
if the default FORWARD policy is DENY, am I right? Is there any
additional side-effect if I comment these lines out in vim-common.sh,
that I'm not considering?

Thanks,

D.
-- 
Dmitry Nedospasov <dmitry@xxxxxxxxx> -- Twitter: @nedos
Web: http://nedos.net -- Github: http://github.com/nedos

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] vif-common.sh and iptables
  - From: Andrew McGlashan

Prev by Date: Re: [Xen-users] xen 4.1 + jeremy 2.6.32 pv_ops: does it work?
Next by Date: Re: [Xen-users] Live migration on xen 4.0.1 fails
Previous by thread: [Xen-users] Xen vs XCP
Next by thread: Re: [Xen-users] vif-common.sh and iptables
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.