WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] [patch 5/5] xen: net features

from [Ian Pratt] [Permanent Link][Original]
To: "Jody Belka" <lists-xen@xxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] [patch 5/5] xen: net features
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Tue, 1 Feb 2005 00:45:28 -0000
Delivery-date: Tue, 01 Feb 2005 00:49:35 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
Thread-index: AcUH9NpW3lEm7u6eTB6ELCWyvp7bngAAROMg
Thread-topic: [Xen-devel] [patch 5/5] xen: net features 
> I was thinking of something along the lines of adding a tiny 
> bit of code
> to remove the CAP_SYS_MODULE and CAP_SYS_RAWIO capabilities 
> from the global
> set of allowed cap's when using the readonly option. With 
> that in place you're
> down to requiring a kernel-hole to get around it.

I'd prefer to just enforce it in the backend, rather than have something
that could potentially be subverted. 

> > > > > (2) the addition of some xen-specific sysfs attributes
> > > > > on front/back vifs, 
> > > > 
> > > > What attributes?
> > > 
> > > Backend:
> > > - xen/fe.domain: frontend domain name
> > > - xen/fe.initial_address: initial frontend interface mac address
> > > - xen/fe.mac_mode: mac mode of the frontend interface (r/w)
> > > - xen/be.mac_mode: mac mode of the backend interface (r/w)
> > I can see some point having the be enforce the MAC, and possibly in
> > having the enforcement address being configurable via 
> sysfs. I'm not a
> > big fan of this section of the patch, though.
> 
> The entire idea of it or just the current attributes?

I can see the point of having some controls on the backend:

xen/fe.domain_name: frontend domain name (read only, for reference)
xen/fe.mac:         all transmitted packets must have this MAC
(read/write)

Having said that, since most people want to enforce a given src IP
address and hence have to use iptables anyway, its not buying us a huge
amount. Ebtables can be used to have the same effect very easily.

Having the fe domain name stored in the kernel is somewhat distasteful
as its purely for user space's benefit and we're likely to get into
"should it be the name or uniqueid?" issues.

Ian
 


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [patch 4/5] xen: netback mac selection, Jody Belka
Next by Date:  Re: [Xen-devel] [patch 5/5] xen: net features, Jody Belka
Previous by Thread:  [Xen-devel] Re: [patch 5/5] xen: net features, Nuutti Kotivuori
Next by Thread:  Re: [Xen-devel] [patch 5/5] xen: net features, Jody Belka
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy