WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] vif-bridge question

On November 22, 9:30 am Ian Pratt <Ian.Pratt@xxxxxxxxxxxx> wrote:
>
> >  in /etc/xen/scripts/vif-bridge there is this snippet of code:
> >
> >  if [ ${ip} ] ; then
> >
> >      # If we've been given a list of IP networks, allow pkts with these
> >  src addrs.
> >      for addr in ${ip} ; do
> >          iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s
> >  ${addr} -j ACCEPT
here vif will be something like vif34.0 how it is viewed by the briding
code ? (as an standard ethxx interface ?)

Because i'm wondering if this rule will be matched by netfilter.

> >      done
> >
> >
> >  The ip list is a command line argument.  My question where is the
> >  domain config file can I specify the IP's that will be sent to
> >  vif-bridge?  I tried:
> >
> >  ip="1.1.1.1/32 1.1.1.2/32" and other variations but I just get illegal
> >  kernel boot option.
>
> As I recall, it's looking for a comma separated list of IP addrs
> ip="1.2.3.4,2.3.4.5"
>
> I don't think the 'antispoof' stuff in vif-bridge is widely used
> as most people that want to do firewalling roll their own.
>
I use antispoof but i've been obligied to modified the rule this way :
iptables ${iptcmd} FORWARD  -m physdev --physdev-out ${interface} -J ACCEPT
in order to allow a xenU domain to talk with another computer on my
network.

In order to allow two xenU domain on the same machine to talk i'm also
obliged to  add thoses two more rules :

iptables ${iptcmd} FORWARD  -i ${vif} -J ACCEPT 
iptables ${iptcmd} FORWARD  -o ${vif} -J ACCEPT 
I'm obliged to add this because i don't specify an ip adress in xenU
configuration file so it skip the piece of code you put upper.

You may ask why i don't specify the ip in the xenU domain file.
There is in my point of viex two case:
* XenU has a dhcp adress and so if the interface get its adress from DHCP
specifing is useless ...

* XenU has a fixed adress, well for the moment i prefer to specify the
address also in the interface file (in debian) so specifing it this file +
xenU is redondant and may introduce errors when i'll change the address.



> I'd be interested to hear how it works for you. In particular,
> you might need to make the rules more lenient to allow some DHCP
> servers to work.
>
> Ian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>