On Friday 07 April 2006 10:44, Jacob S wrote:
>
> So, now my question is, is it expected for network-bridge to be
> incompatible with iptables, or is this a bug?
>
Neither -- it is rather your lack of understanding of how bridges (like the 
one created by xend) and iptables/Netfilter interact.
When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic passing 
through bridges is processed by Netfilter. When xend starts, it creates a 
bridge (xenbr0) through which all traffic into and out of eth0 flows.
See the first part of http://www.shorewall.net/Xen.html for details.
So to make your existing script work in dom0, at the very least you need to 
add:
 $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT
Configuring a secure firewall in dom0 that also controls traffic to/from the 
domUs is a rather complex task -- I find it easier to run my firewall in a 
domU (see http://www.shorewall.net/XenMyWay.html).
-Tom
-- 
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@xxxxxxxxxxxxx
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

Attachment: pgp7t7vKDb4hN.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users