Re: [Xen-users] Xen 3.4.2 networking help

Jonathan Tripathy wrote:

The biggest issue with iptables and bridging is that you cannot restrict traffic which is outbound from the machine with the bridge (ie your Dom0) - you can restrict/control all inbound and forwarded traffic.

I'm not sure what you mean by this? On my Xen nodes, I have 2 NICs. NIC1 is connected to a public bridge (which has no IP assigned) which all the DomUs are connected to. I use ebtables and iptables to make sure that no traffic from NIC1 can get onto the INPUT chain of the Dom0. NIC2 is connected to a private bridge which my Dom0 has an ip assigned to it. I also have some private DomUs connected to this bridge.

When a bridge is involved, there is a problem with physdev match (if I recall correctly) which means that outbound traffic on the firewall machine cannot be filtered because of the sequence in which the net stack does operations. The practical result is that you cannot apply rules filtering traffic which originates on the firewall and leaves via a bridge interface. I vaguely recall it's to do with the matching/filtering happening before the outbound interface is determined - and that in turn is related to requirements for handling VPN traffic. You can still filter inbound traffic, and you can still forward transiting traffic - it's only outbound traffic that originates on the firewall that is a problem.

That is my understanding from following the Shorewall list for some time.

Unfortunately, to do this will mean running iptables/ebtables scripts each time you start a guest and it's new VIFs are configured. I'm not aware of any pre-existing scripts to do this.
I have made scripts to do this on my setup. It's very each. You have to create a new vif-bridge file for each DomU in /etc/xen/scripts (vif-bridge-x) and set the DomU config to use the respective file. Then in each vif-bridge-x file, comment out "handle_iptable" and call another script (iptables-up-x and iptables-down-x) which runs the correct iptables commands. You could also put the iptables calls directly in the vif-bridge-x file, however i keep them separate just to keep things neat. It also means I can call my iptables-up-x and iptables-down-x scripts without rebooting the DomU. I have also give each DomU an incoming chain and outgoing chain, meaning I can add rules easily which only apply to each DomU. I make heavy use of physdev.

I don't have a need for this myself at the moment. It might well be useful to others if you could upload examples to the Wiki - IIRC this question has come up several times in various forms.

