[Xen-users] How to run iptables on vif1.0 - vde_switch in Dom0

I have  two VM (Debian and Fedora) connect through two vde_switch
Debian <-> wirefilter <-> Fedora


vde_switch -s /tmp/sw1 -M /tmp/sw1.mgmt -d
vde_switch -s /tmp/sw2 -M /tmp/sw2.mgmt -d
vde_plug /tmp/sw1
vde_plug /tmp/sw2
vde_pcapplug -s /tmp/sw1 Deb6.0 -d
vde_pcapplug -s /tmp/sw2 Fed15.0 -d

dpipe vde_plug /tmp/sw1 = wirefilter -M /tmp/wire1.mgmt = vde_plug /tmp/sw2 &




Ping work good. tcpdump  see packets on both interfaces (Deb6.0, Fed15.0)



[root@Xen xen]# tcpdump -i Deb6.0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on Deb6.0, link-type EN10MB (Ethernet), capture size 96 bytes
16:07:08.073923 IP 10.0.0.2 &gt; 10.0.0.1: ICMP echo request, id 1466, seq 
7850, length 64

16:07:08.074054 IP 10.0.0.1 &gt; 10.0.0.2: ICMP echo reply, id 1466, seq 7850, 
length 64
16:07:09.075532 IP 10.0.0.2 &gt; 10.0.0.1: ICMP echo request, id 1466, seq 
7851, length 64

16:07:09.075666 IP 10.0.0.1 &gt; 10.0.0.2: ICMP echo reply, id 1466, seq 7851, 
length 64

4 packets captured
4 packets received by filter
0 packets dropped by kernel</code>




But iptables can't see any packets.




cat /proc/sys/net/ipv4/ip_forward 
1

[root@Xen xen]# iptables -L -v
Chain INPUT (policy ACCEPT 278K packets, 140M bytes)

 pkts bytes target     prot opt in     out     source               destination 
        
    0     0            all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-out Fed15.0 
    0     0            all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-in Fed15.0 


Chain FORWARD (policy ACCEPT 6 packets, 318 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0            all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-in Fed15.0 

    0     0            all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-in Deb6.0 
    0     0            all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-out Deb6.0 

    0     0            all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-out Fed15.0 

Chain OUTPUT (policy ACCEPT 279K packets, 128M bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

    0     0            all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-out Fed15.0 



Could you tell me why iptables don't see any packets? How to make central 
friewall in DomO?

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
WARNING - OLD ARCHIVES

xen-users

[Xen-users] How to run iptables on vif1.0 - vde_switch in Dom0
