search for: physdev

...brINT is just an internal bridge without connectivity to an outside network to just connect all domUs and the dom0. The IP addressfor the vif-test01-INT interface is 192.168.240.68. The automatically generated rules per domU are: 1 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out vif-test01-INT --physdev-is-bridged 2 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif-test01-INT --physdev-is-bridged udp spt:bootpc dpt:bootps 3 ACCEPT all -- anywhere anywhere PHYSDEV match --phys...

Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 <---> BRIDGE <---> eth0 # Block (eth0 ---> eth1) - bloc...

I''ve uploaded Beta 4. It corrects a bad bug involving exclusion in the hosts file. In addition, it contains the first release of a new Bridge/firewall implementation that uses the reduced-function physdev match found in kernel 3.6.20 and 3.6.21. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----------------------------------...

I''ve uploaded Beta 4. It corrects a bad bug involving exclusion in the hosts file. In addition, it contains the first release of a new Bridge/firewall implementation that uses the reduced-function physdev match found in kernel 3.6.20 and 3.6.21. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----------------------------------...

...le with 1 bridge and 5 domains: ========================== [root@941e-4 ~]# ip Chain FORWARD (policy DROP 13 packets, 4302 bytes) pkts bytes target prot opt in out source destination 5329 445K ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in peth0 1593 272K ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-out peth0 2 1152 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif1.0 --physdev-out vif0.0 1...

...lug br1 auto br1 iface br1 inet manual bridge_ports eth1 This is my logs: Sep 6 09:47:14 elise kernel: [71970.564974] br1: port 2(vif1.1) entering disabled state Sep 6 09:47:14 elise kernel: [71970.578040] br1: port 2(vif1.1) entering disabled state Sep 6 09:47:14 elise kernel: [71970.718785] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. Sep 6 09:47:14 elise kernel: [71970.718797] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymo...

...erver-prerouting /sbin/iptables -t mangle -A PREROUTING -j server-prerouting /sbin/iptables -t mangle -A server-prerouting -j CONNMARK --restore-mark # bridge traffic - input (eth0 -> eth1) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth0 --physdev-out eth1-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0 physdev-out eth1 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 c...

...rsion 0.5.0 (16384 buckets, 65536 max) [ 50.457685] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use [ 50.457687] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or [ 50.457688] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. [ 50.488368] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. [ 50.499377] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. [ 50.501009] physdev match...

...ver riding the global reject policy. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Any help would be most welcome. Kind Regards William

Hi, we are trying to secure our Xen boxes with IPtables on Dom0 but we always seem to get cut off and can only cure it be rebooting the box. Has anyone got a sucessful config they can share that secures the server with one nic? We are using Xen 3.0.4 thanks Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

Hi folks, in 2.4 kernels, device matching for bridged packets was done with iptables -i/-o. Since 2.6, I was used to use -m physdev here. In 2.6.18, This seems to be more complicated. At least the filter/INPUT chain now doesn't match with -m physdev --physdev-in anymore, but FORWARD and OUTPUT does. I also read the note that -m phydev is now deprecated for non-bridged traffic. Does this mean that 1. I have to use the phy...

...em still not solved, or any idea whats wrong. here are some msgs: device vif1.0 entered promiscuous mode alloc irq_desc for 1246 on node 0 alloc kstat_irqs on node 0 brI: port 2(vif1.0) entering learning state device vif1.1 entered promiscuous mode brE: port 2(vif1.1) entering learning state physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. physdev match: using --physdev-out in the O...

...terisk, squid etc) as currently the voice only seems to be getting shaped one way when making external calls. For example I have the rules below (these are the matching rules only not the actual policy rules): #Create Chain for local traffic (outbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x44444445 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.69 -d 193.xxx.xxx....

Hi Tom and other gurus, I modified SHOREWALL (version 2.0.15) for bridging and I cannot restart it. I got the following error ... Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy REJECT for fw to loc using chain all2all Policy DROP for net to fw using chain net2all Policy ACCEPT for loc to fw using chain loc2fw Policy ACCEPT for loc to net

...w'' ] dhcp="off" ip="82.149.232.51" netmask="255.255.254.0" gateway="82.149.232.48" hostname= "51.xen2.ckras.com" root = "/dev/sda1" extra = "3" iptables -L -n ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth0 ACCEPT all -- 82.149.232.51 0.0.0.0/0 PHYSDEV match --physdev-in vif16.0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif16.0 udp spt:68 dpt:67 82.149.232.51 works (dhcp) , but 82.149.232.57 not: in s51/...

...http://nopaste.php-q.net/194084 now i have a connection from pv to dom0 and the windows hvm, but no connection between physical network an the pv domain. But the HVM and the Dom0 have a connection to the physical network. I found a workaround, but it didn''t work iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!''eth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!''eth0 -j ACCEPT How can i get a connection between the physical network an the pv domains ?

...in the wiki # iptables -L -v -n Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 8216 809K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth1 ! --physdev-out eth1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match ! --physdev-in eth1 --physdev-out eth1 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1844 216K...

....0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 fw2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif0.0 0 0 fw2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif+ 0 0 fw2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out peth0 0 0 fw2all all -...

https://bugzilla.netfilter.org/show_bug.cgi?id=1143 Bug ID: 1143 Summary: physdev extension not working Product: iptables Version: 1.4.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: iptables Assignee: netfilter-buglog at lists.netfilter...

...version 0.5.0 (16384 buckets, 65536 max) [ 42.418810] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use [ 42.418814] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or [ 42.418818] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. [ 42.442587] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. [ 42.461135] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. [ 42.464470] physdev match:...