This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] Automatically provisioning IP addresses on a new VM

To: "George Shuklin" <george.shuklin@xxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Automatically provisioning IP addresses on a new VM
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Sun, 21 Nov 2010 10:22:34 +1100
Delivery-date: Sat, 20 Nov 2010 15:23:58 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1290294376.27972.35.camel@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AANLkTinibYH-UF0txZgkXTmALRQaSvTV60PRkHM0BnFV@xxxxxxxxxxxxxx><AEC6C66638C05B468B556EA548C1A77D01B209AD@trantor><AANLkTimvNemuq3oULs3vuEBKYnZp6fRst_c5DgA0D1mt@xxxxxxxxxxxxxx><AANLkTin1SOEH5EMkHLVh26JTtGncW+28t6M6XFSzk1cc@xxxxxxxxxxxxxx> <1290294376.27972.35.camel@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcuJB8UOKlct///eTuaMBzn9BU2jYAAAdfOg
Thread-topic: [Xen-users] Automatically provisioning IP addresses on a new VM
> В Сбт, 20/11/2010 в 10:41 -0500, Javier Guerra Giraldez пишет:
> > On Sat, Nov 20, 2010 at 9:26 AM, Andrew White <admin@xxxxxxxxxxxxxxx> wrote:
> > > Would you be able to elaborate on dom0 anti-spoofing?
> >
> > simply add a netfilter rule to allow only packets with the intended IP
> > source coming from the vif
> And, migration? And reboot?
> I think, creating correct VM tracking system is not so easy as sound...

You'd script it in the vif scripts, which I think is already done for MAC 
address spoofing.

Even if you decided on some other method than DHCP, your DomU's are still 
untrusted so you still need to restrict at the vif level.

Xen-users mailing list