WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen with 'Routing' scripts

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Xen with 'Routing' scripts
From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
Date: Mon, 18 Apr 2005 16:02:41 +0200
Delivery-date: Mon, 18 Apr 2005 14:01:57 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1113831269.4876.51.camel@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D1E3BE6@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <42629528.9070101@xxxxxxxxxxxx> <1113831269.4876.51.camel@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913)


Nils Toedtmann wrote:

Am Sonntag, den 17.04.2005, 18:56 +0200 schrieb Roland Paterson-Jones:
I think I might be able to achieve what I want with ebtables by brouting all outgoing traffic.

What is "brouting"? There's an ebtables chain with that name, but i
never heard this term (yet) as a name for a network topology ...?
I would call it a hack rather than a network topology. The only advantage is that dom-0 doesn't have to know the dom-U IP addresses, but can still exert firm control over traffic from dom-U's.

So dom-0 is a router for outgoing traffic but a bridge for incoming traffic.

Ah! Is that standard terminology?
I doubt it ;)

What advantage you gain over proper bridging?
I'm assuming iptables doesn't see bridged ethernet traffic(!?) So using ebtables' brouting forces the outbound IP traffic through IP routing letting iptables take a look.

At domU creation time, dom0 knows it's dedicated MAC, and (according to
your own rules) the according IP of that domU. As Ian wrote: extend the
vif-bridge (which now knows the IP/MAC/VIF combination) using
The MAC -> IP mapping is a pain with DHCP, cos dhcpd scripting doesn't extend to mangling the hardware address into the resulting (fixed) IP address. In the prototype, I had a hard-coded rule for each MAC -> IP. This is not very scalable!

However, another way to do it is to use iptables to QUEUE DHCP responses to a custom ipq app which pulls out the IP address and does the same. In other words, to sniff the DHCP allocations in dom-0.

And, yes, I think you DO need to know the IP address to do effective firewalling in dom-0. Previously, I was hoping to avoid dom-0 knowing the IP address at all by using bridging.

* iptables to enforce the correct IP (--> no IP spoofing)
Does iptables get to see ethernet-bridged traffic? I thought ethernet traffic snuck through under the iptables radar since it doesn't (shouldn't?) touch the IP stack.

Thanks again for the frank discussion
Roland




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>