Re: [Xen-users] vif-common.sh and iptables

To:	Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [Xen-users] vif-common.sh and iptables
From:	Teck Choon Giam <giamteckchoon@xxxxxxxxx>
Date:	Wed, 27 Apr 2011 08:45:11 +0800
Cc:	Dmitry Nedospasov <dmitry@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Tue, 26 Apr 2011 17:46:31 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=F7ZhDU/NHEbduJgbChDT32/UbMWLlc60bYjCwxmU2zo=; b=lsC6YmPh/oo5SkTb3RehuAm9bIehKHQGVzd9P4DpSwNT/ugxmg6brHuhOlk3C23C/Q pbJrCwr/Tr2le47098sTSt2GZeq4WbB+/B/1NhWDwMLpTb8TXacQ/nyPf/rr4IxJkykS G4y//FcgJYlF8hxNKWQj/oB2cUYhziwc+Ttkc=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=j3Zo6nFmr8QfUTK/edq6P360d7TIKXcnocfpkWVSoVkqJxWj3rbeUq+vwfY4tJB0nQ swyTaEACjCUR8KpaupmBALykCyl0oz/jitDDmnW56PCIgXvewAOdzRFzNzyOFilJaVG1 725zfntsUMjIgoLOFDNuEVf9kif7IH5uigjy8=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<4DB6B854.2080904@xxxxxxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<20110426110624.GA641@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <4DB6B854.2080904@xxxxxxxxxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Tue, Apr 26, 2011 at 8:19 PM, Andrew McGlashan
<andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi Dmitry,
>
> Dmitry Nedospasov wrote:
>>
>> I have a question about vif-common.sh. I run multiple bridges attached
>> on dummy interfaces, which allow me to put guests in seperate subnets
>> (routed through the dom0). As you might expect I already have quite
>> extensive iptables scripts to accomidate this kind of routing.
>>
>> I was just hoping someone on this list can confirm, that I understand
>> what the iptables lines in vif-common.sh actually do:
>>
>>> iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
>>>  2>/dev/null &&
>>> iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev
>>> \
>>>  --physdev-out "$vif" -j ACCEPT 2>/dev/null
>>
>>> From what i can tell the goal of these lines is to allow networking even
>>
>> if the default FORWARD policy is DENY, am I right? Is there any
>> additional side-effect if I comment these lines out in vim-common.sh,
>> that I'm not considering?
>
> That caused me issues and those settings were in place due to
> "anti-spoofing" setup.
>
> I dropped anti-spoofing to "fix" my setup somewhat.  Until I did that, I
> couldn't get to the DomU machines directly via the bridged interface.
>
> Now I can get through, but there are still issues that are not resolved [1]
> -- sometimes I connect, sometimes I don't; I really need a fix for this.
>
>
> [1]  http://comments.gmane.org/gmane.comp.emulators.xen.user/66214
>

Are you looking for a patch to support anti-spoof feature for tap
devices?  If so, which xen version you are looking for?  I have
patches to support tap devices when anti-spoof feature is enabled.

Thanks.

Kindest regards,
Giam Teck Choon

P.S. Sorry, previous mail I forgot to click "Reply-All" :(

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] vif-common.sh and iptables