WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] iptables filter on specific bridge port only

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] iptables filter on specific bridge port only
From: Diego Alvarez <arcane.lord@xxxxxxxxx>
Date: Fri, 19 May 2006 09:10:34 -0400
Delivery-date: Fri, 19 May 2006 06:12:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <18470FE9D546FD4BA291E04314334228B6B1@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <18470FE9D546FD4BA291E04314334228B6B1@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.11+cvs20060403
On Fri, May 19, 2006 at 01:58:34PM +0100, Fischer, Anna wrote:
> I'd like to set up some filter rules in Dom0 to control network traffic
> of my other domains. I use iptables, my network setup is the standard
> Xen setup. Is it correct that if I want to filter traffic only on a
> specific domain interface (e.g. vif1.0), then I have to use the
> '--physdev' option instead of the '-i' or '-o' options? Or is there any
> other possibility to do this filtering?
 
Yes, -i and -o will match the bridge interface. In fact, if you have peth0
and vif1.0 connected to bridge xenbr0, then a communication from peth0
to vif1.0 will match "-i xenbr0" and "-o xenbr0". But it will match
"--physdev-in peth0" and "--physdev-out vif1.0" too.


> Anna
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>