https://bugzilla.novell.com/show_bug.cgi?id=472107 Summary: XEN network-nat puts rules in DROP if SuSEFirewall is active Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: All OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Xen AssignedTo: cgriffin@novell.com ReportedBy: Emmanuel.Appiahkubi@atea.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008123009 Gentoo Firefox/3.0.5 On a fresh install with xen and changing /etc/xen/xend-config.sxp to use nat : (network-script network-nat) (vif-script vif-nat) the rules will end up in FORWARD DROP instead of FORWARD ACCEPT. example without SuSEFirewall active : Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps example with SuSEfirewall : Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps Reproducible: Always Steps to Reproduce: 1. Make change in /etc/xen/xend-config.sxp (network-script network-nat) (vif-script vif-nat) 2. Entern an IP in a DomU config "vif=['x.x.x.x']" 3. Start the DomU with xm create 4. In the DomU configure it to use the static IP x.x.x.x 4. iptables -L and look in the Chain Forward Actual Results: My DomU's connection could not get outside the Dom0. Expected Results: The DomU's should have been able to reach the external network (internet) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.