This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] iptables problem

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] iptables problem
From: Ivan Lisenkov <ivan@xxxxxxxxx>
Date: Tue, 13 Oct 2009 14:31:52 +0400
Delivery-date: Tue, 13 Oct 2009 03:33:00 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Dear xen users,

I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two iptables rules are created by default:

-A FORWARD -s XX.XX.XX.24/32 -m physdev  --physdev-in vif77.0 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.0 -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -s XX.XX.XX.25/32 -m physdev  --physdev-in vif77.1 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.1 -m udp --sport 68 --dport 67 -j ACCEPT

The rules seems logical, but one of them does no work! I can't ping XX.XX.XX.24 from outside. But if I change the rule manulally to:

-A FORWARD -s -m physdev  --physdev-in vif77.1 -j ACCEPT

everything works. This seems unlogical, because first ip is bounded to second nic, but works. The problem is that I have to change the rules every I reboot domu.

Any ideas how to fix it?

Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>