WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] Xen 3.4.2 networking help

from [Simon Hobson] [Permanent Link][Original]
To: Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Xen 3.4.2 networking help
From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Date: Wed, 27 Oct 2010 10:58:41 +0100
Cc:
Delivery-date: Wed, 27 Oct 2010 03:01:33 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <46C13AA90DB8844DAB79680243857F0F0AFEF7@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx><1288112346.2867.147.camel@E 4310><830769.85058.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx><p06240806c8ed7b7b3394@ simon.thehobsons.co.uk><4CC7D21A.3050200@xxxxxxxxxxx><p06240807c8ed936f220 0@xxxxxxxxxxxxxxxxxxxxxx><46C13AA90DB8844DAB79680243857F0F0AFEF6@xxxxxxxxx BPNI.local> <p06240808c8ed9d577450@xxxxxxxxxxxxxxxxxxxxxx> <46C13AA90DB8844DAB79680243857F0F0AFEF7@xxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Jonathan Tripathy wrote:
Yes, "-o ethx" is indeed a device match, but it works differently to physdev, which really only works well on fordwarded traffic (Although I think it is supposed to work on all bridged traffic)
I'll bow to your significantly greater knowledge in this area ! But the penny drops now, is ethx a real port or a bridge port ? I'll hazzard a guess filtering output to the bridge interface (eg br0) would be handled differently to filtering output to a specific port on the bridge.
Can you please post a link to information about this? I can't find anything on Google about this. 

This for starters :
http://www.shorewall.net/bridge-Shorewall-perl.html
As described above, Shorewall bridge support requires the physdev match feature of Netfilter/iptables. Physdev match allows rules to be triggered based on the bridge port that a packet arrived on and/or the bridge port that a packet will be sent over. The latter has proved to be problematic because it requires that the evaluation of rules be deferred until the destination bridge port is known. This deferral has the unfortunate side effect that it makes IPSEC Netfilter filtration incompatible with bridges. To work around this problem, in kernel version 2.6.20 the Netfilter developers decided to remove the deferred processing in two cases: * When a packet being sent through a bridge entered the firewall on another interface and was being forwarded to the bridge. * When a packet originating on the firewall itself is being sent through a bridge. 

Then I found this that suggests you need to use physdev
http://bwachter.lart.info/linux/bridges.html

And I even found one of my old posts :
http://www.mail-archive.com/shorewall-users@xxxxxxxxxxxxxxxxxxxxx/msg02967.html
which references
http://www.shorewall.net/pub/shorewall/4.0/shorewall-4.0.1/releasenotes.txt

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] DomU crashes after live migration, ml ml
Next by Date:  RE: [Xen-users] Xen 3.4.2 networking help, Jonathan Tripathy
Previous by Thread:  RE: [Xen-users] Xen 3.4.2 networking help, Jonathan Tripathy
Next by Thread:  RE: [Xen-users] Xen 3.4.2 networking help, Jonathan Tripathy
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy