This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Xen bridge acting weird -- fixed

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Xen bridge acting weird -- fixed
From: Matthew Palmer <mpalmer@xxxxxxxxxxx>
Date: Thu, 3 Nov 2005 12:49:20 +1100
Delivery-date: Thu, 03 Nov 2005 01:47:09 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20051102234031.GA30941@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i
[Threading was done manually; I hope it worked]

I think I've fixed the problem, since I've just been trying to do the same
bridge-fiddling on another (simpler) setup, and I think it's a problem with
the antispoof protection.  One of the things it does on the dom0 is:

iptables -P FORWARD DROP

which naturally makes IP packets much harder to get from place to place. 
Unfortunately, the associated rule to allow certain packets fails on my
system with a "iptables: No chain/target/match by that name", so the network
on my dom0 effectively goes "none shall pass" and it's game over.  The
reason, of course, that ARP still runs through is because it's not IP, and
therefore iptables has nothing to do with it.

The fix?  Run your network scripts with antispoof=no, or clear up the
forward policy stuff with:


Of course, if you have any sort of actual firewalling happening on your
machines, this will probably not be a wise move, but on simple systems with
normally-permissive networking, this works fine.

- Matt

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>