WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Re: Blocking DomU NetBios

from [Andy Smith] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: Blocking DomU NetBios
From: Andy Smith <andy@xxxxxxxxxxxxxx>
Date: Sat, 16 Feb 2008 04:27:01 +0000
Delivery-date: Fri, 15 Feb 2008 20:27:42 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20080214160056.GA30910@xxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
References: <20080211235857.GA5298@xxxxxxxxxx> <47B0DDA4.8010609@xxxxxxxxxx> <20080212113818.GA19475@xxxxxxxxxx> <20080213120141.GA30857@xxxxxxxxxx> <20080213185945.GO3692@xxxxxxxxxxx> <20080214160056.GA30910@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11) 
Hi Ligesh,

On Thu, Feb 14, 2008 at 09:30:56PM +0530, Ligesh wrote:
> On Wed, Feb 13, 2008 at 06:59:45PM +0000, Andy Smith wrote:
> > You need to use --physdev since this is a bridge.
> 
> Thanks a lot for the answer. The problem is that I am not seeing any packet 
> at all going through in the forward chain.

It works for me, so our configurations must be different.

>  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 DROP       all  --  any    any     anywhere             anywhere  
>           PHYSDEV match --physdev-in vifxenv0
>   0     0 DROP       all  --  any    any     anywhere             anywhere    
>         PHYSDEV match --physdev-in vifxenv0

What is vifxenv0?

With a rule like:

        iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out v-foo 
-j domu_foo_in

I see traffic from the outside world coming in to the domU on
interface v-foo and make it jump to a chain called domu_foo_in.

With:

        iptables -A FORWARD -m physdev --physdev-in v-foo --physdev-out peth0 
-j domu_foo_out

I see traffic from the domU on interface v-foo destined for outside
world.

There are some additional complications in matching dom0->domU and
domU->domU traffic.

What is your /proc/sys/net/bridge/bridge-nf-call-iptables set to?
It should be 1.

Cheers,
Andy

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] kernel panic, john bryant
Next by Date:  Re: [Xen-users] xen vif rate limit, Andy Smith
Previous by Thread:  [Xen-users] Re: Blocking DomU NetBios, Ligesh
Next by Thread:  [Xen-users] GPL PV smp support, Maxime Pierron
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy