| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] vif-common.sh and iptables
Hi Dmitry,
Dmitry Nedospasov wrote:
I have a question about vif-common.sh. I run multiple bridges attached
on dummy interfaces, which allow me to put guests in seperate subnets
(routed through the dom0). As you might expect I already have quite
extensive iptables scripts to accomidate this kind of routing.
I was just hoping someone on this list can confirm, that I understand
what the iptables lines in vif-common.sh actually do:
iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
2>/dev/null &&
iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev
\
--physdev-out "$vif" -j ACCEPT 2>/dev/null
From what i can tell the goal of these lines is to allow networking even
if the default FORWARD policy is DENY, am I right? Is there any
additional side-effect if I comment these lines out in vim-common.sh,
that I'm not considering?
That caused me issues and those settings were in place due to
"anti-spoofing" setup.
I dropped anti-spoofing to "fix" my setup somewhat. Until I did that, I
couldn't get to the DomU machines directly via the bridged interface.
Now I can get through, but there are still issues that are not resolved
[1] -- sometimes I connect, sometimes I don't; I really need a fix for this.
[1] http://comments.gmane.org/gmane.comp.emulators.xen.user/66214
--
Kind Regards
AndrewM
Andrew McGlashan
Broadband Solutions now including VoIP
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home