WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] 3.4.x networking

from [Mark Chaney] [Permanent Link][Original]
To: "'Mike Williams'" <mike@xxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] 3.4.x networking
From: "Mark Chaney" <macscr@xxxxxxxxxx>
Date: Sun, 13 Sep 2009 15:09:54 -0500
Cc:
Delivery-date: Sun, 13 Sep 2009 13:10:39 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=macscr.com; h=Received:From:To:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:Thread-Index:Content-Language:X-soundwave-MailScanner-Information:X-soundwave-MailScanner-ID:X-soundwave-MailScanner:X-soundwave-MailScanner-SpamCheck:X-soundwave-MailScanner-From; b=ydc8aHgRwNN9EXFLbKkW+T4V5xI69K/f+BW90/28FZTl7IugH6z+d4IXSZo80mbgaceIr36aeRtpA63UMLxtcwmfp0QQ3qEEMdvK6TVuTCawjEhfgvABSbgoKQ60CVlz;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200909131524.40747.mike@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <00de01ca3437$0eaf5e20$2c0e1a60$@com> <00fe01ca3476$6ca490b0$45edb210$@com> <20090913134626.GT31123@xxxxxxxxxxx> <200909131524.40747.mike@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Aco0fgbpTsHQdncbTR++mUucrkRtuQAL5U6A 
While it seems a bit dirty, what I have been addng to my firewall, which is
CSF (from configservers.net), I have a bash script that runs after the
normal rules are loaded to iptables:

[root@wheeljack ~]# cat /etc/csf/csfpost.sh
#!/bin/sh
# add iptables commands here
/sbin/iptables -A FORWARD -m physdev --physdev-in peth1 --physdev-out vif+
-j ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-out peth1 --physdev-in vif+
-j ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out vif+
-j ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-out peth0 --physdev-in vif+
-j ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-out vif+ --physdev-in vif+ -j
ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-in vif+ --physdev-out vif+ -j
ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-out tap+ --physdev-in tap+ -j
ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-in tap+ --physdev-out tap+ -j
ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-out vif+ --physdev-in tap+ -j
ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-in vif+ --physdev-out tap+ -j
ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-out tap+ --physdev-in vif+ -j
ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-in tap+ --physdev-out vif+ -j
ACCEPT

It appears to work for the most part. Som im guessing I should be able to
comment out the handle_iptable for vif-bridge. BUT, according to my diff
findings the vif-bridge for 3.3.1 and 3.4.1 are exactly the same.

-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Mike Williams
Sent: Sunday, September 13, 2009 9:25 AM
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] 3.4.x networking

On Sunday 13 September 2009 14:46:26 Pasi Kärkkäinen wrote:
> > I know it says the error is with vif-bridge, but that's stock, so I
don't
> > know what could be wrong with it. I dont get these errors witht he Xen
> > 3.3.1 and Kernel i mentioned earlier.
> 
> Did you diff vif-bridge script between xen 3.3.1 and xen 3.4.1 versions? 
> What are the differences? 
> 
> What's the failing iptables command? Please paste the whole command here, 
> including the parameters.

frob_iptables in /etc/xen/scripts/vif-common.sh has changed, mostly by the 
addition of:

iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
    --physdev-out "$vif" -j ACCEPT 2>/dev/null

I found this not only caused the probably innocuous physdev depreciation 
warning, but caused the conntrack modules to be loaded due to the state
check. 
The default conntrack size was far too small for me.
So either remove iptables, or comment out "handle_iptable" from 
/etc/xen/scripts/vif-bridge, I've no need for Xen to change iptables.

-- 
Mike Williams

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] 3.4.x networking, Mike Williams
Next by Date:  Re: [Xen-users] Always losing the console output after "Scrubbing free RAM", Martin Cracauer
Previous by Thread:  Re: [Xen-users] 3.4.x networking, Mike Williams
Next by Thread:  Re: [Xen-users] 3.4.x networking, Pasi Kärkkäinen
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy