Hi all,
I have Xen 3.2 newly installed on Lenny with network bridging configured.
When I built my first VM, I found it couldn''t connect to the Internet.
This
turned out to be because my dom0''s iptables was configured to DROP all
packets on the FORWARD chain (when I removed that, it started working).
The "Xen Networking" page on the wiki describes this exact situation (
http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b)
and suggests adding the following iptables rules:
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out
''!''
eth0 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in
''!''
eth0 -j ACCEPT
This, however, did not work for me. I have 2 questions about this:
1. The description of what this is supposed to do is "allowing packet
forwarding (at the iptables level) between the *external physical interface
*and the vifs for the guests". But in the diagram, it looks like external
physical interface is *peth0*, not eth0. Am I misunderstanding something, or
should eth0 in the rules above actually be peth0?
2. Just for fun, I tried changing eth0 in the rules above to peth0, based on
the reasoning above. That actually seemed to work. But now my syslog is
getting flooded with messages like this, which makes me wonder if I''m
barking up the wrong tree entirely:
*physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING
chains for non-bridged traffic is not supported anymore.
*
To my surprise, I haven''t been able to find any resource aside from the
wiki
page mentioned above that discusses the best practice for disabling
forwarding on the dom0 except what''s required for Xen bridging. If
anybody
has any thoughts on how to achieve this, it''d be much appreciated.
Best regards,
Martin Goldman
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
