Xen project Mailing List

Re: [Xen-users] Implementing firewall functionality in dom0 host on behalf of domU guests

From: Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx>

Date: Tue, 15 May 2012 16:29:48 -0500

Delivery-date: Tue, 15 May 2012 21:31:25 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

On Tue, May 15, 2012 at 11:31 AM, Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx> wrote:

On Tue, May 15, 2012 at 10:43 AM, Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx> wrote:

My actual question (of how to do the same under CentOS 5.8 + GITCO_Xen_4.1.2) will be a followup to this posting.

The output from "iptables -L -n -v" is subtly different, related to physdev matching.

Under CentOS xen 3.1,

Chain FORWARD (policy ACCEPT 1957M packets, 291G bytes)

pkts bytes target prot opt in out source destination
1952M 290G XYZZY all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in peth0 --physdev-out XYZZY

2306M 13T ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in XYZZY

Under CentOS xen 4.1.2,

[root@xm00 ~]# iptables -L -n -v
Chain FORWARD (policy ACCEPT 16 packets, 3564 bytes)

pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif1.0 --physdev-is-bridged

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif1.0 --physdev-is-bridged

What changes are necessary for the FORWARD chain to run the XYZZY firewall matching rules BEFORE passing on the packets in the ACCEPT rules?

The correct command is:

iptables -I FORWARD -m physdev --physdev-in $IF_IN -j $RULENAME

--Andy

_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users