cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jijun <jiju...@gmail.com>
Subject Re: [Questions]: Basic Zone Securiy Group problem?
Date Fri, 30 Aug 2013 06:42:03 GMT
thank you very much.

  the rule looks good, but so strange, i can ping the two guest vms [ 
i-2-7-VM, i-3-8-VM]  on my work host.


[ranger@ranger cloudstack]$ ping 192.168.253.66
PING 192.168.253.66 (192.168.253.66) 56(84) bytes of data.
64 bytes from 192.168.253.66: icmp_seq=1 ttl=59 time=4.40 ms
^C
--- 192.168.253.66 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.406/4.406/4.406/0.000 ms
[ranger@ranger cloudstack]$ ping 192.168.253.68
PING 192.168.253.68 (192.168.253.68) 56(84) bytes of data.
64 bytes from 192.168.253.68: icmp_seq=1 ttl=59 time=1.20 ms
^C
--- 192.168.253.68 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.201/1.201/1.201/0.000 ms



[root@xenserver-dlghbuxq ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 3354K packets, 2026M bytes)
  pkts bytes target     prot opt in     out source               
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out source               
destination
     0     0 BRIDGE-FIREWALL  all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-is-bridged
     0     0 ACCEPT     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out eth1 --physdev-is-bridged
     0     0 ACCEPT     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out eth0 --physdev-is-bridged
     0     0 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2741K packets, 5547M bytes)
  pkts bytes target     prot opt in     out source               
destination

Chain BRIDGE-DEFAULT-FIREWALL (1 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 ACCEPT     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
     0     0 ACCEPT     udp  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68

Chain BRIDGE-FIREWALL (1 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 BRIDGE-DEFAULT-FIREWALL  all  --  *      * 
0.0.0.0/0            0.0.0.0/0
     0     0 i-2-7-def  all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif21.0 --physdev-is-bridged
     0     0 i-3-8-def  all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif20.0 --physdev-is-bridged
     0     0 r-4-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
     0     0 r-4-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
     0     0 v-2-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
     0     0 v-2-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
     0     0 v-2-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
     0     0 v-2-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif17.1 
--physdev-is-bridged
     0     0 v-2-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif17.0 
--physdev-is-bridged
     0     0 v-2-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif17.2 
--physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif18.3 
--physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif18.1 
--physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif18.0 
--physdev-is-bridged
     0     0 s-6-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif18.2 
--physdev-is-bridged
     0     0 r-4-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif19.1 
--physdev-is-bridged
     0     0 r-4-VM     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif19.0 
--physdev-is-bridged
     0     0 i-3-8-def  all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif20.0 
--physdev-is-bridged
     0     0 i-2-7-def  all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif21.0 
--physdev-is-bridged

Chain L (0 references)
  pkts bytes target     prot opt in     out source               
destination

Chain RH-Firewall-1-INPUT (0 references)
  pkts bytes target     prot opt in     out source               
destination

Chain i-2-7-VM (1 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-2-7-VM-eg (1 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 RETURN     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-2-7-def (2 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 RETURN     udp  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif21.0 
--physdev-is-bridged set i-2-7-VM src udp dpt:53
     0     0 DROP       all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif21.0 
--physdev-is-bridged !set i-2-7-VM src
     0     0 DROP       all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif21.0 
--physdev-is-bridged !set i-2-7-VM dst
     0     0 i-2-7-VM-eg  all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif21.0 
--physdev-is-bridged set i-2-7-VM src
     0     0 i-2-7-VM   all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif21.0 
--physdev-is-bridged

Chain i-3-8-VM (1 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 DROP       all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-3-8-VM-eg (1 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 RETURN     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain i-3-8-def (2 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 RETURN     udp  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif20.0 
--physdev-is-bridged set i-3-8-VM src udp dpt:53
     0     0 DROP       all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif20.0 
--physdev-is-bridged !set i-3-8-VM src
     0     0 DROP       all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif20.0 
--physdev-is-bridged !set i-3-8-VM dst
     0     0 i-3-8-VM-eg  all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif20.0 
--physdev-is-bridged set i-3-8-VM src
     0     0 i-3-8-VM   all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-out vif20.0 
--physdev-is-bridged

Chain r-4-VM (4 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif19.0 --physdev-is-bridged
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif19.1 --physdev-is-bridged
     0     0 ACCEPT     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain s-6-VM (8 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.2 --physdev-is-bridged
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.0 --physdev-is-bridged
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.1 --physdev-is-bridged
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif18.3 --physdev-is-bridged
     0     0 ACCEPT     all  --  *      * 0.0.0.0/0            0.0.0.0/0

Chain v-2-VM (6 references)
  pkts bytes target     prot opt in     out source               
destination
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif17.2 --physdev-is-bridged
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif17.0 --physdev-is-bridged
     0     0 RETURN     all  --  *      * 0.0.0.0/0            
0.0.0.0/0           PHYSDEV match --physdev-in vif17.1 --physdev-is-bridged
     0     0 ACCEPT     all  --  *      * 0.0.0.0/0            0.0.0.0/0



On 08/30/2013 02:02 PM, Jayapal Reddy Uradi wrote:
> Hi,
>
> The rules are looking as expected.
> The ingress traffic to vm should block.
>
> Can you run 'iptables -L -nv' and see which rules are accepting the ingress traffic.
>
> Thanks,
> Jayapal
> On 30-Aug-2013, at 7:41 AM, Jijun <jijunlx@gmail.com> wrote:
>
>> i clone branch 4.2 code, package and do a  fresh installation.
>>
>> hypervisor : xenserver 6.2 change  openvswitch to bridge.
>>
>> add basic zone ,security group enabeld.
>>
>> create a new vm , default security group
>>
>> the previous version  document   said the ingress will be blocked by default.  but
in my test, the network in and out are all allowed.
>> so strange.
>>
>> is it a bug ?
>>
>> iptable rule in hypervisor :
>>
>> [root@xenserver-dlghbuxq ~]# iptables -nL
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> BRIDGE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-is-bridged
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
eth1 --physdev-is-bridged
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
eth0 --physdev-is-bridged
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain BRIDGE-DEFAULT-FIREWALL (1 references)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-is-bridged
udp spt:68 dpt:67
>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-is-bridged
udp spt:67 dpt:68
>>
>> Chain BRIDGE-FIREWALL (1 references)
>> target     prot opt source               destination
>> BRIDGE-DEFAULT-FIREWALL  all  --  0.0.0.0/0 0.0.0.0/0
>> i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif21.0 --physdev-is-bridged
>> i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif20.0 --physdev-is-bridged
>> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.0 --physdev-is-bridged
>> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.1 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.2 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.0 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.1 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.3 --physdev-is-bridged
>> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.2 --physdev-is-bridged
>> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.0 --physdev-is-bridged
>> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.1 --physdev-is-bridged
>> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif17.1 --physdev-is-bridged
>> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif17.0 --physdev-is-bridged
>> v-2-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif17.2 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.3 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.1 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.0 --physdev-is-bridged
>> s-6-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif18.2 --physdev-is-bridged
>> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif19.1 --physdev-is-bridged
>> r-4-VM     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif19.0 --physdev-is-bridged
>> i-3-8-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif20.0 --physdev-is-bridged
>> i-2-7-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif21.0 --physdev-is-bridged
>>
>> Chain L (0 references)
>> target     prot opt source               destination
>>
>> Chain RH-Firewall-1-INPUT (0 references)
>> target     prot opt source               destination
>>
>> Chain i-2-7-VM (1 references)
>> target     prot opt source               destination
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain i-2-7-VM-eg (1 references)
>> target     prot opt source               destination
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain i-2-7-def (2 references)
>> target     prot opt source               destination
>> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif21.0 --physdev-is-bridged !set i-2-7-VM src
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif21.0 --physdev-is-bridged !set i-2-7-VM dst
>> i-2-7-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-in vif21.0
--physdev-is-bridged set i-2-7-VM src
>> i-2-7-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif21.0 --physdev-is-bridged
>>
>> Chain i-3-8-VM (1 references)
>> target     prot opt source               destination
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain i-3-8-VM-eg (1 references)
>> target     prot opt source               destination
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain i-3-8-def (2 references)
>> target     prot opt source               destination
>> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif20.0 --physdev-is-bridged !set i-3-8-VM src
>> DROP       all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif20.0 --physdev-is-bridged !set i-3-8-VM dst
>> i-3-8-VM-eg  all  --  0.0.0.0/0            0.0.0.0/0 PHYSDEV match --physdev-in vif20.0
--physdev-is-bridged set i-3-8-VM src
>> i-3-8-VM   all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vif20.0 --physdev-is-bridged
>>
>> Chain r-4-VM (4 references)
>> target     prot opt source               destination
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.0 --physdev-is-bridged
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif19.1 --physdev-is-bridged
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain s-6-VM (8 references)
>> target     prot opt source               destination
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.2 --physdev-is-bridged
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.0 --physdev-is-bridged
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.1 --physdev-is-bridged
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif18.3 --physdev-is-bridged
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>
>> Chain v-2-VM (6 references)
>> target     prot opt source               destination
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.2 --physdev-is-bridged
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.0 --physdev-is-bridged
>> RETURN     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vif17.1 --physdev-is-bridged
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>
>>
>> *[root@xenserver-dlghbuxq ~]# ebtables -L*
>> Bridge table: filter
>>
>> Bridge chain: INPUT, entries: 0, policy: ACCEPT
>>
>> Bridge chain: FORWARD, entries: 5, policy: ACCEPT
>> -j DEFAULT_EBTABLES
>> -i vif21.0 -j i-2-7-VM
>> -i vif20.0 -j i-3-8-VM
>> -o vif20.0 -j i-3-8-VM
>> -o vif21.0 -j i-2-7-VM
>>
>> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>>
>> Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
>> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
>> -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
>> -p ARP --arp-op Request -j ACCEPT
>> -p ARP --arp-op Reply -j ACCEPT
>> -p IPv4 -d Broadcast -j DROP
>> -p IPv4 -d Multicast -j DROP
>> -p IPv4 --ip-dst 255.255.255.255 -j DROP
>> -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
>> -p IPv4 -j RETURN
>> -p IPv6 -j DROP
>> -p 802_1Q -j DROP
>> -j DROP
>>
>> Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
>> -p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
>> -p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP
>>
>> Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
>> -p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
>> -p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP
>>
>>
>> *[root@xenserver-dlghbuxq ~]# ipset -L*
>> Name: i-3-8-VM
>> Type: iphash
>> References: 4
>> Header: hashsize: 1024 probes: 8 resize: 50
>> Members:
>> 192.168.253.66
>>
>> Name: i-2-7-VM
>> Type: iphash
>> References: 4
>> Header: hashsize: 1024 probes: 8 resize: 50
>> Members:
>> 192.168.253.68
>>
>>
>>
>>
>>
>>
>>
>> -- 
>> Thanks,
>> Jijun
>>


-- 
Thanks,
Jijun


Mime
View raw message