Xen''s network-multinet script is gaining popularity and will reportedly
be the default in the next OpenSuSE release.
The script takes the remarkable steps of clearing the Netfilter ruleset
on ''xend start'' and restores it on ''xend
stop''.
Given that xend is started at stage 13 and Shorewall at stage 6, this
means that ''xend start'' effectively isolates the system (the
stupid
script doesn''t change the policies associated with the built-in chains
which are set to DENY by Shorewall).
I''m not going to change Shorewall to deal with this madness. My
recommendation is:
a) If you want to use NAT with a domU, then let Shorewall do it; don''t
use Xen''s NAT.
b) Either:
Edit /etc/xen/scripts/network-multinet and delete or comment out
all calls to ''manage_iptables''.
or
(RPM-based systems) Edit /etc/init.d/shorewall[-lite] and
change:
# Should-Start: VMware
to
# Should-Start: VMware xend
Note that this last choice will start all of your servers before
starting Shorewall -- you''ve been warned.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/