[ovs-discuss] priority of iptables and flows
jesse at nicira.com
Mon May 3 21:07:34 UTC 2010
On Mon, May 3, 2010 at 12:13 AM, <mandar284 at aim.com> wrote:
> I have a rule in iptables (with source ip address) to allow https traffic
> for Xen server as well as on the bridge there is a flow to deny all IP
> protocol traffic coming on the Xen bridge.
> Now, when I try to open the Xen Center from the IP matching iptables rule,
> it does not succeed in connecting the Xen server, but then, if I update the
> flows with the https allow rule with my IP, the Xen center is successfully
> why is the traffic to access Xen server is blocked even when the iptables
> had the allow rule?
> Does iptables hold the same control of traffic, meant for the Xen sever
> host (excluding internal VMs) )in presence of open vswitch flows ?
> Can anyone explain the behavior of flows with iptables ?
Traffic to dom0 flows first through OVS and then the IP stack (and by
extension iptables). If either has a rule to deny traffic the packet will
be dropped. There is no shared configuration between the two so adding a
rule to iptables does not update the OVS flow table.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss