Hi guys. Any clue on this subject? Hope someone can help. Leonardo Lopes -------- Mensagem encaminhada -------- De: Leonardo Bruno <leonardo@xxxxxxxxxx> Para: netfilter@xxxxxxxxxxxxxxx Assunto: How to enable Xen VM traffic using nft Data: Fri, 27 Oct 2017 18:55:41 -0200 > Hi guys. > > I am running Xen 4.8.1 and Debian 9 'stretch' as Dom0. I am also > using > 'nft' instead of 'iptables' as Debian is now encouraging the users > to > do. > > The 'xen-scripts' shipped with Debian Xen packages add rules to > permit > (accept) packages to/from virtual interfaces to flow in/out through > the bridge interface. > > But these scripts are not 'nft-ready' and, although it is simple to > modify it in order to run the correct 'nft' commands, I could not > translate the original 'iptables' rules to 'nftables' rules. > > The 'iptables' commands executed when the VM is started (supposing > a > virtual interface 'vif0') are: > > iptables -I FORWARD -m physdev --physdev-is-bridged --physdev-in > vif0 > -j ACCEPT > iptables -I FORWARD -m physdev --physdev-is-bridged --physdev-out > vif0 > -j ACCEPT > > Almost the same commands are executed when the VM is shutted down: > > iptables -D FORWARD -m physdev --physdev-is-bridged --physdev-in > vif0 > -j ACCEPT > iptables -D FORWARD -m physdev --physdev-is-bridged --physdev-out > vif0 > -j ACCEPT > > Can someone help? Thanks in advance. > > Best regards, > Leonardo Lopes -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
