This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] frob_iptable not getting called for network-bridge?

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] frob_iptable not getting called for network-bridge?
From: "Matthew Law" <matt@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Dec 2009 11:31:34 -0000
Delivery-date: Tue, 15 Dec 2009 03:32:16 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
Importance: Normal
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Reply-to: matt@xxxxxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.19
Hi list,

I have a CentOS Xen 3.4.2 dom0 setup with:

(network-script 'network-bridge netdev=eth0 antispoof=yes')


(vif-script vif-bridge)

The problem is that newly created domUs are firewalled (the FORWARD chain
policy is DROP).

Looking at the scripts in /etc/xen/scripts, shouldn't the frob_iptable
function should take care of adding the correct rules to permit access to
the domU IP?  Or have I missed something?

Here is the output of 'brctl show' with  guests running:

[root@mydom0 xen]# brctl show
bridge name     bridge id               STP enabled     interfaces
eth0            8000.003048d9edf6       no              vifdomu1

and here is the output of 'iptables -L':

[root@mydom0 xen]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match
--physdev-in peth0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If I drop the FORWARD rules and set it to ACCEPT by default, domU
networking starts to work, but I would rather do it right.

Thanks in advance,


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] frob_iptable not getting called for network-bridge?, Matthew Law <=