[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] vif-common.sh and iptables

  • To: Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx>
  • From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>
  • Date: Wed, 27 Apr 2011 08:45:11 +0800
  • Cc: Dmitry Nedospasov <dmitry@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 26 Apr 2011 17:46:31 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=j3Zo6nFmr8QfUTK/edq6P360d7TIKXcnocfpkWVSoVkqJxWj3rbeUq+vwfY4tJB0nQ swyTaEACjCUR8KpaupmBALykCyl0oz/jitDDmnW56PCIgXvewAOdzRFzNzyOFilJaVG1 725zfntsUMjIgoLOFDNuEVf9kif7IH5uigjy8=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On Tue, Apr 26, 2011 at 8:19 PM, Andrew McGlashan
<andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi Dmitry,
> Dmitry Nedospasov wrote:
>> I have a question about vif-common.sh. I run multiple bridges attached
>> on dummy interfaces, which allow me to put guests in seperate subnets
>> (routed through the dom0). As you might expect I already have quite
>> extensive iptables scripts to accomidate this kind of routing.
>> I was just hoping someone on this list can confirm, that I understand
>> what the iptables lines in vif-common.sh actually do:
>>> iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
>>>  2>/dev/null &&
>>> iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev
>>> \
>>>  --physdev-out "$vif" -j ACCEPT 2>/dev/null
>>> From what i can tell the goal of these lines is to allow networking even
>> if the default FORWARD policy is DENY, am I right? Is there any
>> additional side-effect if I comment these lines out in vim-common.sh,
>> that I'm not considering?
> That caused me issues and those settings were in place due to
> "anti-spoofing" setup.
> I dropped anti-spoofing to "fix" my setup somewhat.  Until I did that, I
> couldn't get to the DomU machines directly via the bridged interface.
> Now I can get through, but there are still issues that are not resolved [1]
> -- sometimes I connect, sometimes I don't; I really need a fix for this.
> [1]  http://comments.gmane.org/gmane.comp.emulators.xen.user/66214

Are you looking for a patch to support anti-spoof feature for tap
devices?  If so, which xen version you are looking for?  I have
patches to support tap devices when anti-spoof feature is enabled.


Kindest regards,
Giam Teck Choon

P.S. Sorry, previous mail I forgot to click "Reply-All" :(

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.