WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Xen bridge + iptables FORWARD

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Xen bridge + iptables FORWARD
From: Martin Goldman <me@xxxxxxxxxxxx>
Date: Tue, 20 Jul 2010 10:16:57 -0400
Delivery-date: Tue, 20 Jul 2010 07:24:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi all,

I have Xen 3.2 newly installed on Lenny with network bridging configured. When I built my first VM, I found it couldn't connect to the Internet. This turned out to be because my dom0's iptables was configured to DROP all packets on the FORWARD chain (when I removed that, it started working).

The "Xen Networking" page on the wiki describes this exact situation (http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b) and suggests adding the following iptables rules:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0 -j ACCEPT
This, however, did not work for me. I have 2 questions about this:

1. The description of what this is supposed to do is "allowing packet forwarding (at the iptables level) between the external physical interface and the vifs for the guests". But in the diagram, it looks like external physical interface is peth0, not eth0. Am I misunderstanding something, or should eth0 in the rules above actually be peth0?

2. Just for fun, I tried changing eth0 in the rules above to peth0, based on the reasoning above. That actually seemed to work. But now my syslog is getting flooded with messages like this, which makes me wonder if I'm barking up the wrong tree entirely:
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.

To my surprise, I haven't been able to find any resource aside from the wiki page mentioned above that discusses the best practice for disabling forwarding on the dom0 except what's required for Xen bridging. If anybody has any thoughts on how to achieve this, it'd be much appreciated.

Best regards,
Martin Goldman
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Xen bridge + iptables FORWARD, Martin Goldman <=