Re: [Xense-devel] Re: [Xen-devel] RFC: virtual network access control

[Reiner Sailer <sailer@xxxxxxxxxx>]

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 07/28/2006
11:13:07 AM:

> > We see other problems as well: IPtables seems to not see any
of the
> > ethernet-bridged packets. If you wanted to use IPtables then
you
> > would need to replace the ethernet bridge with routing each packet.
> 
> You want CONFIG_BRIDGE_NETFILTER=y, this makes iptabes see bridged
packets.
> 
> Additionally you need CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y, that allows
> matching on the physical device name for bridged packets.  That
way you
> can filter by domain (because each domain has its own virtual bridge
> port) instead of ip/mac address.
> 
> cheers,
> 
>   Gerd

Using IPtables this way sounds like a feasible compromise
for the short term.

There are drawbacks to this short-term solution:
* dependencies on user space tools (also coordination
requirements wrt other users of IPtables)
* performance: rules add up in IPTables when the number
of interfaces increases
* scalability: for every interface coming up we make
a number of hypercalls to setup the filters to the existing interfaces
[O(n) for sHype/ACM; other non-symmetric policies might involve more overhead]

For these reasons, I suggest that we include networking
in our discussions about the long-term security architecture and related
interfaces in Xen.

If there are no other suggestions then we will proceed
following the suggestion to use IPtables and filtering based on devices.

Reiner
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel