[Gllug] Xen and iptables problem

Richard Jones rich at annexia.org
Fri Jan 5 15:48:14 UTC 2007


On Fri, Jan 05, 2007 at 01:38:47PM +0000, Bruce Richardson wrote:
> On Fri, Jan 05, 2007 at 12:10:19PM +0000, - wrote:
> > For those unfamiliar with Xen, it makes networking insanely (and
> > unnecessarily) complicated, which is why it's hitting both the FORWARD
> > and INPUT/OUTPUT chains. See
> > http://wiki.xensource.com/xenwiki/XenNetworking for mroe details.
> 
> It isn't insanely complicated if you tread dom0 purely as an
> administrative domain and do any firewalling from within user domains.
> That not only simplifies things, it makes it more secure.  Yes, Xen uses
> bridges to organise its networking but these are presented
> to domU as simple ethernet interfaces, so if you do your iptables work
> in there then you never need to worry about packets taking strange paths
> through the netfilter tables.  Unless, of course, you explicity decide
> to make life complicated for yourself (e.g. putting in firewalling
> bridges).

Well it is insane.  I mean it may be complicated for a reason, but
it's still very very complicated.

To Tet: Try logging the TCP checksums on your packets.  Earlier
versions of Xen had some bugs which would cause TCP checksums to get
corrupted, resulting in the packets being silently dropped on the
input side of the interfaces.  That confused me for a very long time
when I set my first Xen server up.

Rich.

-- 
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Internet Marketing and AdWords courses - http://merjis.com/courses - NEW!
Merjis blog - http://blog.merjis.com - NEW!
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list