On Thu, Apr 05, 2007 at 08:28:57AM +0100, Mark McLoughlin wrote: > Hi Dan, > > On Thu, 2007-04-05 at 02:44 +0100, Daniel P. Berrange wrote: > > Warning, this is a long & complicated email with lots of horrible details :-) > > > > I've long been a little confused with the way iptables & bridging interacts, > > so set out to do some experiments. I added a -j LOG rule to every single chain > > in both the filter & nat tables, and then tried various traffic patterns, to > > see which chains were traversed & in which order. > > Nice work ... > > > Scenario 2: Virtual network > > =========================== > > > > net.bridge.bridge-nf-call-iptables = 1 > > > > Host: eth0 -> Internet > > virbr0 -> MASQUERADE to eth0 > > > > Guest: vif1.0 -> virbr0 > > > > > > Traffic: Guest -> Google > > ------------------------ > > > > Out: > > > > NAT-PREROUTING IN=virbr0 OUT= PHYSIN=vif1.0 SRC=192.168.122.47 DST=64.233.167.99 > > FORWARD IN=virbr0 OUT=eth0 PHYSIN=vif1.0 SRC=192.168.122.47 DST=64.233.167.99 > > NAT-POSTROUTING IN= OUT=eth0 PHYSIN=vif1.0 SRC=192.168.122.47 DST=64.233.167.99 > > This really suprises me - I would have expected another one like: > > FORWARD IN=virbr0 OUT=virbr0 PHYSIN=vif1.0 PHYSOUT=virb0 SRC=192.168.122.47 DST=64.233.167.99 > > Is it because the packets are coming in on bridge interface we don't > see any physdev matching? So, we would see it with Guest->Guest? I'll check up on the DomU<->DomU case - that may well exhibit a FORWARD traversal with both a PHYSIN & PHYSOUT match. > > For virtual networks there are basically 3 types of networking config we need to represent > > in terms of iptables rules, and these need to work for scenrios 1 & 2 - ie regardless of > > the magic sysctl knob. > > Well, IMHO, we should never be switching off the sysctl knob ourselves > - i.e. we shouldn't have it in xen/scripts/network-bridge - but I take > the point that a user might switch it off. Yeah, I don't much like it either, but the Fedora Xen bridge scripts turn the setting off - principally so that traffic for bridged guests doesn't get hit by the Dom0 iptables rules. > > > Problem: The INPUT rules are missing altogether for the isolated virtual network > > so potentially DHCP/DNS will be blocked > > Solution: Add them - simple bug. > > I fixed this in CVS, didn't I? Yeah - I was comparing against the official 0.2.1 release which I happen to have an RPM installed of. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|