As for the physdev part:
It appears to me that at least starting 4.0.1-rc6, some part of Xen tries its
best to set up FORWARD chain firewall rules per VM to support scenarios where
the default FORWARD chain policy is not ACCEPT.
The rules allow DHCP in particular, as well as other traffic.
These rules do not suit my needs too good, but then again, not everyone who sets
up Xen wants to learn how to use IPTABLES -- and you''ll see a LOT of
garbage traffic once your NIC is in promiscous mode. You need additional Dom0
FORWARD rules if your VMs use a virtual IP address, and you also want to
restrict the traffic which the Xen-made bridge allows.
Both aspects are not a problem; you can allow more traffic in Dom0''s
FORWARD chain (which is used for the bridge), and you can restrict traffic in
the DomU''s IPTABLES firewall. Hence, I decided to silently live with
this default setup (e.g. why allow DHCP packets for a VM with a static IP
address?). I trust the maintainers will switch to different bidge rules soon. As
I said, I don''t need them but they won''t do much harm.
As for the ACCT warning:
As far as I see, it''s only a warning, and I presume it originates from
one IPTABLES module using another. Will certainly be addressed in the future.
Happy Xenning!
-------- Original-Nachricht --------> Datum: Tue, 31 Aug 2010 08:54:51 -0700
> Von: ShaunR <mailinglists@unix-scripts.com>
> An: xen-users@lists.xensource.com
> Betreff: [Xen-users] errors when xend starts
> When starting xend i see the following errors on the console.  I''m
> running CentOS 5 as the operating system with kernel 2.6.32.18 from 
> 4.0.1''s `make prep-kernels`
> 
> 
> Below is a log, the things i''m concerned with is the XENBUS errors
and
> the deprecated iptables stuff.  Any ideas whats going on here?
> 
> ----------------------------------------------------
> Bridge firewalling registered
> ADDRCONF(NETDEV_UP): peth0: link is not ready
> igb: peth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
> ADDRCONF(NETDEV_CHANGE): peth0: link becomes ready
> device peth0 entered promiscuous mode
> eth0: port 1(peth0) entering forwarding state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> XENBUS: Unable to read cpu state
> peth0: no IPv6 routers present
> eth0: no IPv6 routers present
> device vif1.0 entered promiscuous mode
> eth0: port 2(vif1.0) entering forwarding state
> ip_tables: (C) 2000-2006 Netfilter Core Team
> nf_conntrack version 0.5.0 (8024 buckets, 32096 max)
> CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
> nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
> sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
> physdev match: using --physdev-out in the OUTPUT, FORWARD and 
> POSTROUTING chains for non-bridged traffic is not supported anymore.
> ----------------------------------------------------
> 
> 
> ~ShaunR
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
-- 
GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99
€/mtl.!*
http://portal.gmx.net/de/go/dsl
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users