This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Xen 3.4.2 networking help

To: Simon Hobson <linux@xxxxxxxxxxxxxxxx>, Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Xen 3.4.2 networking help
From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Date: Wed, 27 Oct 2010 08:17:46 +0100
Delivery-date: Wed, 27 Oct 2010 00:18:30 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <p06240806c8ed7b7b3394@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1288112346.2867.147.camel@E4310> <830769.85058.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <p06240806c8ed7b7b3394@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100713 Thunderbird/3.0.6

I'm not sure what, if anything, is done by setting an IP in the DomU config ! I vaguely recall that there is a mechanism for a PV guest to get this and use it when configuring the network.
Correct. For the most part, it does nothing of much importance

What you will need to do is configure iptables and/or ebtables (which I haven't personally used) to limit what traffic is permitted from each DomU. Ideally you want to restrict traffic both by source IP address and by source MAC address - have you seen what happens when a device uses a MAC address that's already in use ? The biggest issue with iptables and bridging is that you cannot restrict traffic which is outbound from the machine with the bridge (ie your Dom0) - you can restrict/control all inbound and forwarded traffic.
I'm not sure what you mean by this? On my Xen nodes, I have 2 NICs. NIC1 is connected to a public bridge (which has no IP assigned) which all the DomUs are connected to. I use ebtables and iptables to make sure that no traffic from NIC1 can get onto the INPUT chain of the Dom0. NIC2 is connected to a private bridge which my Dom0 has an ip assigned to it. I also have some private DomUs connected to this bridge.
Unfortunately, to do this will mean running iptables/ebtables scripts each time you start a guest and it's new VIFs are configured. I'm not aware of any pre-existing scripts to do this.
I have made scripts to do this on my setup. It's very each. You have to create a new vif-bridge file for each DomU in /etc/xen/scripts (vif-bridge-x) and set the DomU config to use the respective file. Then in each vif-bridge-x file, comment out "handle_iptable" and call another script (iptables-up-x and iptables-down-x) which runs the correct iptables commands. You could also put the iptables calls directly in the vif-bridge-x file, however i keep them separate just to keep things neat. It also means I can call my iptables-up-x and iptables-down-x scripts without rebooting the DomU. I have also give each DomU an incoming chain and outgoing chain, meaning I can add rules easily which only apply to each DomU. I make heavy use of physdev.

There is a third way, and that is to have a monitoring script that detects a machine using an address it's not assigned - and to shut it down. Having your host shut down from under you is likely to get your attention and teach you not to do it again !

I'm not sure why you need to restrict IP traffic between guests. While it's unlikely, one guest may have need of contact with another, just as it will almost certainly have need of contact with other hosts on the internet. Unless you are running an external firewall to protect them all (in which case the guest-guest traffic would be unprotected), there's really no difference from them being separate hosts on the big bad internet and each should be configured with it's own firewall.
If you use my iptables scripts idea above, you can put rules in there to restrict inter-DomU communication.

Xen-users mailing list