[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] iptables filtering when bridging

  • To: "Mark McLoughlin" <markmc@xxxxxxxxxx>
  • From: David <big.raiders.fan@xxxxxxxxx>
  • Date: Thu, 10 May 2007 09:35:44 -0400
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 10 May 2007 06:34:06 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=P6xgBDocScfVRj997rZ7pvGOTNZDlsPgaqLDDzZUNt1cG/pVnWYLHNvf8fPPq4YfP1lXCi34Yc1jZf4v61kJToV8rcJ5Y484C6qVjWpJcmt5LKIi+7I9FED3+lnsj3NoOfFPgpl6WIaPXiiepEDDc02DsyMt/4Mm0hhTK/UAAVI=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On 5/10/07, Mark McLoughlin <markmc@xxxxxxxxxx> wrote:

On Wed, 2007-05-09 at 10:04 -0400, David wrote:

>   Based on http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png,
> the packet appears to be going the right way, but I can't make it go
> any further.
> Is it possible to have the packets go through the iptables Filter
> tables in Dom0?

        Yep, packets should be going through iptables as they traverse the
bridge in Dom0 (as the diagram shows), unless it's explicitly disabled.
What does:

  $> sysctl net.bridge.bridge-nf-call-iptables

        show? (It should be "1")

It is showing "1".   Based on my iptables logging, I do see the packet going through iptables' Magle and Nat Prerouting chains.  It then goes into ebtables' Filter Input chain, and then there is no more logging.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.