[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-users] Implementing firewall functionality in dom0 host on behalf of domU guests
- To: xen-users@xxxxxxxxxxxxx
- From: Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx>
- Date: Thu, 24 May 2012 18:23:12 -0500
- Delivery-date: Thu, 24 May 2012 23:25:00 +0000
- List-id: Xen user discussion <xen-users.lists.xen.org>
On Tue, May 15, 2012 at 4:29 PM, Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx> wrote:
On Tue, May 15, 2012 at 10:43 AM, Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx> wrote:
My actual question (of how to do the same under CentOS 5.8 + GITCO_Xen_4.1.2) will be a followup to this posting.
The output from "iptables -L -n -v" is subtly different, related to physdev matching.
Under CentOS xen 3.1,
Chain FORWARD (policy ACCEPT 1957M packets, 291G bytes)
pkts bytes target prot opt in out source destination 1952M 290G XYZZY all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in peth0 --physdev-out XYZZY
Under CentOS xen 4.1.2,
[root@xm00 ~]# iptables -L -n -v Chain FORWARD (policy ACCEPT 16 packets, 3564 bytes)
pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif1.0 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif1.0 --physdev-is-bridged
What changes are necessary for the FORWARD chain to run the XYZZY firewall matching rules BEFORE passing on the packets in the ACCEPT rules?
The correct command is:
iptables -I FORWARD -m physdev --physdev-in $IF_IN -j $RULENAME
And if you run more than one set of firewall rules on a per-VM basis,
iptables -I FORWARD -m physdev --physdev-in $IF_IN --dst $VM_IP -j $RULENAME
--Andy
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users
|
