[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Communication between Domain0 and Domain1




On Jul 18, 2004, at 3:09 PM, Ian Pratt wrote:

I haven't had any problems with bridging, but I agree that the L3
routing solution may be better under some circumstances.

I haven't had great luck with bridging in linux period, not just with Xen. Fortunately I've rarely needed it.

In any case, the reason I'm personally using VMs is to strictly control what is allowed in and out of each particular VM and to be able to control through firewalling anyway, and doing some VM-based solution is a heck of a lot cheaper than buying a dozen physical pieces of hardware and putting them all on a DMZ behind a dedicated firewall, especially if all one of those VMs may be doing is DNS. It's a little more load on the box overall to have your dom0 doing the packet filtering, but if your boxes were overloaded anyway, you probably wouldn't be doing VMs. :)

It would be good to have a 'vif-router' script to use as an
alternative to 'vif-bridge' for users wanting to operate a routed
configuration. If you've got something suitable we could check in
to the repo that would be great. I guess a modified 'network'
script would be required too.

If I can get the VMs stabilized, I'll work on that next since right now I've just got everything in script I wrote that "brute-force" ups a bunch of aliases and adds a bunch of NAT rules that I'm running manually.

I haven't looked real close at the bridge config/script so I don't know if it handles downing a VM gracefully; iptables isn't very good at dynamically removing rules. You have to know what order they went in to be able to remove it in the order it was created. i.e. you can create a rule by saying "from source IP such and destination IP such, do thusly" but you can't remove it with the same terminology, you have to say "remove rule number twelve." So bringing up a VIP and assigning an eth0 alias and creating a NAT rule is pretty easy, but there's no graceful way to handle removing the NAT rule if you want to down the VM/VIP.

The way we've been dealing with this issue where I work, using UML, is to have the VM "up" and "down" scripts modify a set of iptables rules to either include or exclude the config for a particular VM, and then require that the rules be reloaded after up or down a VM which will re/create any necessary aliases and reload all the iptables rules. It's not as elegant, but it does work.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"We all enter this world in the    | Support Electronic Freedom
same way: naked; screaming; soaked |        http://www.eff.org/
in blood. But if you live your     |  http://www.anti-dmca.org/
life right, that kind of thing     |---------------------------
doesn't have to stop there." -- Dana Gould



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.