WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] frob_iptable not getting called for network-bridge?

from [Matthew Law] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] frob_iptable not getting called for network-bridge?
From: "Matthew Law" <matt@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Dec 2009 11:31:34 -0000
Delivery-date: Tue, 15 Dec 2009 03:32:16 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
Importance: Normal
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Reply-to: matt@xxxxxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.19 
Hi list,

I have a CentOS Xen 3.4.2 dom0 setup with:

(network-script 'network-bridge netdev=eth0 antispoof=yes')

and:

(vif-script vif-bridge)

The problem is that newly created domUs are firewalled (the FORWARD chain
policy is DROP).

Looking at the scripts in /etc/xen/scripts, shouldn't the frob_iptable
function should take care of adding the correct rules to permit access to
the domU IP?  Or have I missed something?

Here is the output of 'brctl show' with  guests running:

[root@mydom0 xen]# brctl show
bridge name     bridge id               STP enabled     interfaces
eth0            8000.003048d9edf6       no              vifdomu1
                                                        vifdomu2
                                                        peth0

and here is the output of 'iptables -L':

[root@mydom0 xen]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match
--physdev-in peth0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If I drop the FORWARD rules and set it to ACCEPT by default, domU
networking starts to work, but I would rather do it right.


Thanks in advance,

Matt


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] frob_iptable not getting called for network-bridge?, Matthew Law <=
Previous by Date:  Re: [Xen-users] Prohibit to run Xen inside guest VM?, Rob MacGregor
Next by Date:  Re: [Xen-users] pv_ops domU crashes on pv_ops dom0 (directly at boot), Markus Schuster
Previous by Thread:  [Xen-users] 2008 GPLPV + Sysprep /generalize, Nathan O'Sullivan
Next by Thread:  [Xen-users] Nvidia drivers in Dom0 results in blank screen, Brandon Turner
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy