WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Xen with 'Routing' scripts

from [Nils Toedtmann] [Permanent Link][Original]
To: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
Subject: Re: [Xen-users] Xen with 'Routing' scripts
From: Nils Toedtmann <xen-users@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Apr 2005 16:16:37 +0200
Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 18 Apr 2005 14:17:54 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4263BE01.2040301@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D1E3BE6@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <42629528.9070101@xxxxxxxxxxxx> <1113831269.4876.51.camel@xxxxxxxxxxxxxxxxxxxxxxx> <4263BE01.2040301@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Am Montag, den 18.04.2005, 16:02 +0200 schrieb Roland Paterson-Jones:
> 
> Nils Toedtmann wrote:
> 
> >Am Sonntag, den 17.04.2005, 18:56 +0200 schrieb Roland Paterson-Jones: 
> I'm assuming iptables doesn't see bridged ethernet traffic(!?)
[...]
> >* iptables to enforce the correct IP (--> no IP spoofing)
> Does iptables get to see ethernet-bridged traffic? I thought ethernet 
> traffic snuck through under the iptables radar since it doesn't 
> (shouldn't?) touch the IP stack.

That depends. In the old days of linux-2.4 you needed the br-nf-patch
from the ebtables site to make bridged ip packets visible to iptable.
But as i already said there is now "CONFIG_BRIDGE_NETFILTER" in
linux-2.6: if you compile a kernel with "CONFIG_BRIDGE_NETFILTER=y" (as
all distributers i know do and as xen does in it's default dom0 config)
then iptables sees every forwarded frame which has ethertype 0x0800
(IPv4). If you want it more detailed, see this netfilter/ebtables flow
chart:

  <http://l7-filter.sourceforge.net/PacketFlow.png> 

So: everything you want to filter you can filter with bridging.

/nils.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] troubles when building 64bit XEN, Piotr Wolak
Next by Date:  Re: [Xen-users] Xen with 'Routing' scripts, Roland Paterson-Jones
Previous by Thread:  Re: [Xen-users] Xen with 'Routing' scripts, Roland Paterson-Jones
Next by Thread:  Re: [Xen-users] Xen with 'Routing' scripts, Roland Paterson-Jones
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy