This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] vif-common.sh and iptables

To: Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] vif-common.sh and iptables
From: Teck Choon Giam <giamteckchoon@xxxxxxxxx>
Date: Wed, 27 Apr 2011 08:45:11 +0800
Cc: Dmitry Nedospasov <dmitry@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 26 Apr 2011 17:46:31 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=F7ZhDU/NHEbduJgbChDT32/UbMWLlc60bYjCwxmU2zo=; b=lsC6YmPh/oo5SkTb3RehuAm9bIehKHQGVzd9P4DpSwNT/ugxmg6brHuhOlk3C23C/Q pbJrCwr/Tr2le47098sTSt2GZeq4WbB+/B/1NhWDwMLpTb8TXacQ/nyPf/rr4IxJkykS G4y//FcgJYlF8hxNKWQj/oB2cUYhziwc+Ttkc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=j3Zo6nFmr8QfUTK/edq6P360d7TIKXcnocfpkWVSoVkqJxWj3rbeUq+vwfY4tJB0nQ swyTaEACjCUR8KpaupmBALykCyl0oz/jitDDmnW56PCIgXvewAOdzRFzNzyOFilJaVG1 725zfntsUMjIgoLOFDNuEVf9kif7IH5uigjy8=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4DB6B854.2080904@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20110426110624.GA641@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <4DB6B854.2080904@xxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Tue, Apr 26, 2011 at 8:19 PM, Andrew McGlashan
<andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi Dmitry,
> Dmitry Nedospasov wrote:
>> I have a question about vif-common.sh. I run multiple bridges attached
>> on dummy interfaces, which allow me to put guests in seperate subnets
>> (routed through the dom0). As you might expect I already have quite
>> extensive iptables scripts to accomidate this kind of routing.
>> I was just hoping someone on this list can confirm, that I understand
>> what the iptables lines in vif-common.sh actually do:
>>> iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
>>>  2>/dev/null &&
>>> iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev
>>> \
>>>  --physdev-out "$vif" -j ACCEPT 2>/dev/null
>>> From what i can tell the goal of these lines is to allow networking even
>> if the default FORWARD policy is DENY, am I right? Is there any
>> additional side-effect if I comment these lines out in vim-common.sh,
>> that I'm not considering?
> That caused me issues and those settings were in place due to
> "anti-spoofing" setup.
> I dropped anti-spoofing to "fix" my setup somewhat.  Until I did that, I
> couldn't get to the DomU machines directly via the bridged interface.
> Now I can get through, but there are still issues that are not resolved [1]
> -- sometimes I connect, sometimes I don't; I really need a fix for this.
> [1]  http://comments.gmane.org/gmane.comp.emulators.xen.user/66214

Are you looking for a patch to support anti-spoof feature for tap
devices?  If so, which xen version you are looking for?  I have
patches to support tap devices when anti-spoof feature is enabled.


Kindest regards,
Giam Teck Choon

P.S. Sorry, previous mail I forgot to click "Reply-All" :(

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>