This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Communication between Domain0 and Domain1

To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Communication between Domain0 and Domain1
From: Chris Andrews <chris@xxxxxxxxxx>
Date: Mon, 19 Jul 2004 11:13:33 +0100
Delivery-date: Mon, 19 Jul 2004 11:16:06 +0100
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: <E1BmUcd-0002ZH-00@xxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <E1BmUcd-0002ZH-00@xxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.7 (X11/20040615)
I haven't looked real close at the bridge config/script so I don't know if it handles downing a VM gracefully; iptables isn't very good at dynamically removing rules. You have to know what order they went in to be able to remove it in the order it was created. i.e. you can create a rule by saying "from source IP such and destination IP such, do thusly" but you can't remove it with the same terminology, you have to say "remove rule number twelve." So bringing up a VIP and assigning an eth0 alias and creating a NAT rule is pretty easy, but there's no graceful way to handle removing the NAT rule if you want to down the VM/VIP.

I'm not sure that's the case. If you've added a rule with -A, specifying the syntax, you can remove it by specifying -D and the same syntax. It'll remove one rule that exactly matches the syntax you specify to -D.

I often use this to drop a LOG rule in temporarily:

# iptables -A INPUT -j LOG

... stuff happens ...

# iptables -D INPUT -j LOG

This is in addition to the -D <rule number> behaviour, which is indeed a real pain to use.


This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Xen-devel mailing list