Fischer, Anna
2006-May-19 12:58 UTC
[Xen-users] iptables filter on specific bridge port only
I''d like to set up some filter rules in Dom0 to control network traffic of my other domains. I use iptables, my network setup is the standard Xen setup. Is it correct that if I want to filter traffic only on a specific domain interface (e.g. vif1.0), then I have to use the ''--physdev'' option instead of the ''-i'' or ''-o'' options? Or is there any other possibility to do this filtering? Anna _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Diego Alvarez
2006-May-19 13:10 UTC
Re: [Xen-users] iptables filter on specific bridge port only
On Fri, May 19, 2006 at 01:58:34PM +0100, Fischer, Anna wrote:> I''d like to set up some filter rules in Dom0 to control network traffic > of my other domains. I use iptables, my network setup is the standard > Xen setup. Is it correct that if I want to filter traffic only on a > specific domain interface (e.g. vif1.0), then I have to use the > ''--physdev'' option instead of the ''-i'' or ''-o'' options? Or is there any > other possibility to do this filtering?Yes, -i and -o will match the bridge interface. In fact, if you have peth0 and vif1.0 connected to bridge xenbr0, then a communication from peth0 to vif1.0 will match "-i xenbr0" and "-o xenbr0". But it will match "--physdev-in peth0" and "--physdev-out vif1.0" too.> Anna > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users