WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: Blocking DomU NetBios

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: Blocking DomU NetBios
From: Andy Smith <andy@xxxxxxxxxxxxxx>
Date: Sat, 16 Feb 2008 04:27:01 +0000
Delivery-date: Fri, 15 Feb 2008 20:27:42 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20080214160056.GA30910@xxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
References: <20080211235857.GA5298@xxxxxxxxxx> <47B0DDA4.8010609@xxxxxxxxxx> <20080212113818.GA19475@xxxxxxxxxx> <20080213120141.GA30857@xxxxxxxxxx> <20080213185945.GO3692@xxxxxxxxxxx> <20080214160056.GA30910@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)
Hi Ligesh,

On Thu, Feb 14, 2008 at 09:30:56PM +0530, Ligesh wrote:
> On Wed, Feb 13, 2008 at 06:59:45PM +0000, Andy Smith wrote:
> > You need to use --physdev since this is a bridge.
> 
> Thanks a lot for the answer. The problem is that I am not seeing any packet 
> at all going through in the forward chain.

It works for me, so our configurations must be different.

>  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 DROP       all  --  any    any     anywhere             anywhere  
>           PHYSDEV match --physdev-in vifxenv0
>   0     0 DROP       all  --  any    any     anywhere             anywhere    
>         PHYSDEV match --physdev-in vifxenv0

What is vifxenv0?

With a rule like:

        iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out v-foo 
-j domu_foo_in

I see traffic from the outside world coming in to the domU on
interface v-foo and make it jump to a chain called domu_foo_in.

With:

        iptables -A FORWARD -m physdev --physdev-in v-foo --physdev-out peth0 
-j domu_foo_out

I see traffic from the domU on interface v-foo destined for outside
world.

There are some additional complications in matching dom0->domU and
domU->domU traffic.

What is your /proc/sys/net/bridge/bridge-nf-call-iptables set to?
It should be 1.

Cheers,
Andy

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users