[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: Blocking DomU NetBios


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Sat, 16 Feb 2008 04:27:01 +0000
  • Delivery-date: Fri, 15 Feb 2008 20:27:42 -0800
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc

Hi Ligesh,

On Thu, Feb 14, 2008 at 09:30:56PM +0530, Ligesh wrote:
> On Wed, Feb 13, 2008 at 06:59:45PM +0000, Andy Smith wrote:
> > You need to use --physdev since this is a bridge.
> 
> Thanks a lot for the answer. The problem is that I am not seeing any packet 
> at all going through in the forward chain.

It works for me, so our configurations must be different.

>  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 DROP       all  --  any    any     anywhere             anywhere  
>           PHYSDEV match --physdev-in vifxenv0
>   0     0 DROP       all  --  any    any     anywhere             anywhere    
>         PHYSDEV match --physdev-in vifxenv0

What is vifxenv0?

With a rule like:

        iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out v-foo 
-j domu_foo_in

I see traffic from the outside world coming in to the domU on
interface v-foo and make it jump to a chain called domu_foo_in.

With:

        iptables -A FORWARD -m physdev --physdev-in v-foo --physdev-out peth0 
-j domu_foo_out

I see traffic from the domU on interface v-foo destined for outside
world.

There are some additional complications in matching dom0->domU and
domU->domU traffic.

What is your /proc/sys/net/bridge/bridge-nf-call-iptables set to?
It should be 1.

Cheers,
Andy

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.