[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Communication between Domain0 and Domain1

> On Jul 18, 2004, at 3:09 PM, Ian Pratt wrote:
> > I haven't had any problems with bridging, but I agree that the L3
> > routing solution may be better under some circumstances.
> I haven't had great luck with bridging in linux period, not just with 
> Xen.  Fortunately I've rarely needed it.
> In any case, the reason I'm personally using VMs is to strictly control 
> what is allowed in and out of each particular VM and to be able to 
> control through firewalling anyway, and doing some VM-based solution is 
> a heck of a lot cheaper than buying a dozen physical pieces of hardware 

With the bridge-nf patch that we build into dom0 by default its
possible to do all the normal iptables firewalling with a bridge setup.

> > It would be good to have a 'vif-router' script to use as an
> > alternative to 'vif-bridge' for users wanting to operate a routed
> > configuration. If you've got something suitable we could check in
> > to the repo that would be great. I guess a modified 'network'
> > script would be required too.
> If I can get the VMs stabilized, I'll work on that next since right now 
> I've just got everything in script I wrote that "brute-force" ups a 
> bunch of aliases and adds a bunch of NAT rules that I'm running 
> manually.
> I haven't looked real close at the bridge config/script so I don't know 
> if it handles downing a VM gracefully; iptables isn't very good at 
> dynamically removing rules.  You have to know what order they went in 
> to be able to remove it in the order it was created.  i.e. you can 
> create a rule by saying "from source IP such and destination IP such, 
> do thusly" but you can't remove it with the same terminology, you have 
> to say "remove rule number twelve."  So bringing up a VIP and assigning 
> an eth0 alias and creating a NAT rule is pretty easy, but there's no 
> graceful way to handle removing the NAT rule if you want to down the 

Yep, iptables isn't so smart. I wander if its possible to do
something by having rules for a particular domain on a single
chain, and then jsut delete the whole chain when a VM dies?


This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.