WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Network filtering setup

To: xen-devel <Xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Network filtering setup
From: Jacob Gorm Hansen <jacobg@xxxxxxx>
Date: Fri, 22 Dec 2006 15:25:59 +0100
Delivery-date: Fri, 22 Dec 2006 06:26:10 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:subject:from:to:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding:sender; b=VulpIzqipYTEvMN7m+r56IN769vIeOzQ7s+2V5usY8N5uaNX3zwLheGwhYIlZZEBihMA321k0+9oCp/BSeqKquLhCyLBsuGgGsBBt6GfRk0BRiYvwKe14Se29mfKaB1sOXUxVsFqnWL+2X4Q4GyF2ryomxx4NpgVNUOlMVHiW5Y=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
hi,

back in Xen 1.x days I had this wonderful setup where I did not have to
bother with vifs and bridges or fake MAC addresses, and the following
piece of C in dom0:

void setup_vfr_rules_for_vif(int dom,int vif,char* guest_ip)
{
    int f = open("/proc/xen/vfr",O_WRONLY);
    char s[256];
    sprintf(s,"ADD ACCEPT dstaddr=%s dstaddrmask=255.255.255.255 src=ANY
dstdom=%d dstidx=%d proto=any\n", guest_ip,dom,0 );
    write(f,s,strlen(s));
    sprintf(s,"ADD ACCEPT srcaddr=%s srcaddrmask=255.255.255.255 srcdom=
%d srcidx=%d dst=PHYS proto=any\n",guest_ip,dom,0 );
    write(f,s,strlen(s));
    close(f);
}

Would allow a domU to send and receive IP traffic through eth0,
including somehow magically getting ARP request answered our routed to
the right place.

I have been trying various things to get the same effect in Xen 3.x, but
to be honest my iptables knowledge is a bit rusty, so all I have been
able to come up with is a routed setup, but that only seems to work when
all the peers have the host hardcoded into their routing tables.

Does anyone have the perfect setup (list of iptables commands I suppose)
for this, preferable without bridging at the Ethernet layer?
NAT/Masquerading is not an option, as I prefer not to have any state
kept in dom0.

Thanks,
Jacob


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>