|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] vif-common.sh and iptables
Hi Dmitry, Dmitry Nedospasov wrote: I have a question about vif-common.sh. I run multiple bridges attached on dummy interfaces, which allow me to put guests in seperate subnets (routed through the dom0). As you might expect I already have quite extensive iptables scripts to accomidate this kind of routing. I was just hoping someone on this list can confirm, that I understand what the iptables lines in vif-common.sh actually do:iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ 2>/dev/null && iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ --physdev-out "$vif" -j ACCEPT 2>/dev/nullFrom what i can tell the goal of these lines is to allow networking evenif the default FORWARD policy is DENY, am I right? Is there any additional side-effect if I comment these lines out in vim-common.sh, that I'm not considering? That caused me issues and those settings were in place due to "anti-spoofing" setup. I dropped anti-spoofing to "fix" my setup somewhat. Until I did that, I couldn't get to the DomU machines directly via the bridged interface. Now I can get through, but there are still issues that are not resolved [1] -- sometimes I connect, sometimes I don't; I really need a fix for this. [1] http://comments.gmane.org/gmane.comp.emulators.xen.user/66214 -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |