Xen project Mailing List

Re: [Xen-devel] vif-bridge question

From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>

Date: Tue, 23 Nov 2004 23:27:38 +0000

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx

Delivery-date: Tue, 23 Nov 2004 23:54:08 +0000

List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

> On November 22, 9:30 am Ian Pratt <Ian.Pratt@xxxxxxxxxxxx> wrote: > > > > > in /etc/xen/scripts/vif-bridge there is this snippet of code: > > > > > > if [ ${ip} ] ; then > > > > > > # If we've been given a list of IP networks, allow pkts with these > > > src addrs. > > > for addr in ${ip} ; do > > > iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s > > > ${addr} -j ACCEPT > here vif will be something like vif34.0 how it is viewed by the briding > code ? (as an standard ethxx interface ?) Yep, 'vif4.0' appears as a normal ethernet interface as far as the linux bridge code is concerned. You can think of the vif as being connected by a crossover cable to the eth0 in the guest. > I use antispoof but i've been obligied to modified the rule this way : > iptables ${iptcmd} FORWARD -m physdev --physdev-out ${interface} -J ACCEPT > in order to allow a xenU domain to talk with another computer on my > network. Does that make any sense? You're not actually forcing packets from the vif to have a particular src IP addr, which was the intention of the antispoof rule. You might as well run with antispoof off. > In order to allow two xenU domain on the same machine to talk i'm also > obliged to add thoses two more rules : > > iptables ${iptcmd} FORWARD -i ${vif} -J ACCEPT > iptables ${iptcmd} FORWARD -o ${vif} -J ACCEPT > I'm obliged to add this because i don't specify an ip adress in xenU > configuration file so it skip the piece of code you put upper. > > You may ask why i don't specify the ip in the xenU domain file. > There is in my point of viex two case: > * XenU has a dhcp adress and so if the interface get its adress from DHCP > specifing is useless ... Antispoof only make sense if you know what IP addr the guest should be using. If you're using a DHCP server handing out static addresses that's not a problem. If they're truly dynamic then you're going to have to either parse the logs of the DHCP server or snoop and process the DHCP reply. Grim. > * XenU has a fixed adress, well for the moment i prefer to specify the > address also in the interface file (in debian) so specifing it this file + > xenU is redondant and may introduce errors when i'll change the address. Sure, but that's kind of the whole point of antispoof ;-) Ian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.