[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] iptables filter on specific bridge port only

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Diego Alvarez <arcane.lord@xxxxxxxxx>
Date: Fri, 19 May 2006 09:10:34 -0400
Delivery-date: Fri, 19 May 2006 06:12:50 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Fri, May 19, 2006 at 01:58:34PM +0100, Fischer, Anna wrote:
> I'd like to set up some filter rules in Dom0 to control network traffic
> of my other domains. I use iptables, my network setup is the standard
> Xen setup. Is it correct that if I want to filter traffic only on a
> specific domain interface (e.g. vif1.0), then I have to use the
> '--physdev' option instead of the '-i' or '-o' options? Or is there any
> other possibility to do this filtering?
 
Yes, -i and -o will match the bridge interface. In fact, if you have peth0
and vif1.0 connected to bridge xenbr0, then a communication from peth0
to vif1.0 will match "-i xenbr0" and "-o xenbr0". But it will match
"--physdev-in peth0" and "--physdev-out vif1.0" too.


> Anna
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] iptables filter on specific bridge port only
  - From: Fischer, Anna

Prev by Date: [Xen-users] iptables filter on specific bridge port only
Next by Date: [Xen-users] Linux Kernel 2.4?
Previous by thread: [Xen-users] iptables filter on specific bridge port only
Next by thread: [Xen-users] Linux Kernel 2.4?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.