WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] Xen 3.4.2 networking help

from [Jonathan Tripathy] [Permanent Link][Original]
To: "Simon Hobson" <linux@xxxxxxxxxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Xen 3.4.2 networking help
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Wed, 27 Oct 2010 10:05:27 +0100
Cc:
Delivery-date: Wed, 27 Oct 2010 02:08:32 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx><1288112346.2867.147.camel@E4310><830769.85058.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx><p06240806c8ed7b7b3394@xxxxxxxxxxxxxxxxxxxxxx><4CC7D21A.3050200@xxxxxxxxxxx> <p06240807c8ed936f2200@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Act1slcDe0Y0KoSCTDu7ch+Fl+hhUgAA8Haq
Thread-topic: [Xen-users] Xen 3.4.2 networking help
When a bridge is involved, there is a problem with physdev match (if
I recall correctly) which means that outbound traffic on the firewall
machine cannot be filtered because of the sequence in which the net
stack does operations. The practical result is that you cannot apply
rules filtering traffic which originates on the firewall and leaves
via a bridge interface. I vaguely recall it's to do with the
matching/filtering happening before the outbound interface is
determined - and that in turn is related to requirements for handling
VPN traffic. You can still filter inbound traffic, and you can still
forward transiting traffic - it's only outbound traffic that
originates on the firewall that is a problem.

That is my understanding from following the Shorewall list for some time.

------------------------------------------------------------------------------------------------------------------------------------------

If you are refering to the OUTPUT chain of the Dom0 itself, surely you wouldn't use physdev at all? Wouldn't you just use "iptables -A OUTPUT -o ethx ...."?

In any case, I don't block by interface on the Dom0's OUTPUT chain. No real need to when the INPUT chain is protected with "iptables -A INPUT -i ..."
I only ever use physdev on the FORWARD chain, which works for both incoming and outgoing traffic.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Problem starting Windows guests: Domain unable to be unpaused: an integer is required, Flavio
Next by Date:  Re: [Xen-users] Xen 3.4.2 networking help, Thomas Halinka
Previous by Thread:  Re: [Xen-users] Xen 3.4.2 networking help, Simon Hobson
Next by Thread:  RE: [Xen-users] Xen 3.4.2 networking help, Simon Hobson
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy