Hello, Does antispoof mechanism work in network-bridge with HVM domUs? It seems no. There are the following iptables rules that were added after starting hvm domU with FreeBSD: :INPUT ACCEPT [3126:359694] :FORWARD DROP [974:187815] :OUTPUT ACCEPT [973:266082] -A FORWARD -m physdev --physdev-in peth1 -j ACCEPT -A FORWARD -m physdev --physdev-in vif60.0 -j ACCEPT peth1 is the physical interface on domO which is connected to eth1 bridge, vif60.0 is domU interface. After starting hvm domU it is inacessible via network. If I change default policy of FORWARD policy to accept everything is fine. With PV domUs current antispoof scheme works fine. Where is the problem? With regards, Andrey _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Solved the problem. In hvm domU case iptables rule for corresponding tap interface should be added: :INPUT ACCEPT [3126:359694] :FORWARD DROP [974:187815] :OUTPUT ACCEPT [973:266082] -A FORWARD -m physdev --physdev-in peth1 -j ACCEPT -A FORWARD -m physdev --physdev-in vif60.0 -j ACCEPT -A FORWARD -m physdev --physdev-in tap60.0 -j ACCEPT Andrey пишет:> Hello, > > Does antispoof mechanism work in network-bridge with HVM domUs? > > It seems no. There are the following iptables rules that were added > after starting hvm domU with FreeBSD: > > :INPUT ACCEPT [3126:359694] > :FORWARD DROP [974:187815] > :OUTPUT ACCEPT [973:266082] > > -A FORWARD -m physdev --physdev-in peth1 -j ACCEPT > -A FORWARD -m physdev --physdev-in vif60.0 -j ACCEPT > > peth1 is the physical interface on domO which is connected to eth1 > bridge, vif60.0 is domU interface. After starting hvm domU it is > inacessible via network. > > If I change default policy of FORWARD policy to accept everything is > fine. With PV domUs current antispoof scheme works fine. > > Where is the problem? > > With regards, Andrey > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users