| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
[Xen-users] conntrack not working as soon as network-bridge is renamed?
Hi -
Since I have upgraded from xen 3.0.2 to 3.0.3, I cannot get conntrack
working on dom0 as soon as network-bridge is not named "xenbr0".
Conntrack and everything related to netfiler are build in the kernel
(not as module).
Netfilter seems to work fine from any domU.
In xend-config.sxp I have the following:
(network-script 'network-bridge bridge=xenbrE')
(vif-script vif-bridge)
(dom0-min-mem 128)
(dom0-cpus 0)
I have a very basic firewall script setup on dom0:
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I have observed that:
- ping from dom0 to the rest of the world doesn't work: the icmp-reply
frames are dropped somewhere...
- ssh from the rest of the world to the dom0 does not work.
But:
- if I add an "--icmp-type echo-reply" ACCEPT iptables rule, I can ping
to anywhere from the dom0.
- if I remove "-m state --state NEW" from the SSH rule, then I can
connect to the SSH server of the dom0.
- if I donnot rename xenbr0 into xenbrD in xend-config.sxp, then
everything is working fine again. I wonder why this setup was OK with
Xen 3.0.2 I have used for months before and not anymore with v3.0.3.
Any idea?
King regards,
--
Olivier Le Cam
Département des Technologies de l'Information et de la Communication
CRDP de l'académie de Versailles
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
| <Prev in Thread] |
Current Thread |
[Next in Thread> |
- [Xen-users] conntrack not working as soon as network-bridge is renamed?,
Olivier Le Cam <=
|
|
|
| |
|
Home