[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Patch for Improved vif-route

Here's my version of vif-route, which filters packets to/from domU.  

This is my first time submitting a patch.  Am I suppose to add '[PATCH]' to the 
subject line?  Or is there a web-based patch submission that I don't know about?

diff -r 8d655336fd69 -r 2ce5a2fb29d8 tools/examples/vif-route
--- a/tools/examples/vif-route  Tue Aug 23 21:15:18 2005
+++ b/tools/examples/vif-route  Tue Aug 23 21:25:45 2005
@@ -19,12 +19,36 @@
 # vif     vif interface name (required).
 # mac     vif MAC address (required).
 # ip      list of IP networks for the vif, space-separated (optional).
+#
+# Additional Notes: 
+#
+#   This script requires the following Dom0 kernel options:
+#
+#     CONFIG_IP_ADVANCED_ROUTER=y
+#     CONFIG_IP_MULTIPLE_TABLES=y
+#     CONFIG_BRIDGE_NETFILTER=y
+#     CONFIG_IP_NF_IPTABLES=y
+#     CONFIG_IP_NF_MATCH_IPRANGE=y
+#     CONFIG_IP_NF_MATCH_PHYSDEV=y
+#     CONFIG_IP_NF_FILTER=y
+#
+#   DomU configuration file must declare domain's IP addresses via vif.
+#
+#   Examples: 
+#     vif = [ 'ip=192.168.0.16, vif=vif1.0' ]
+#     vif = [ 'ip=192.168.0.16 192.168.0.17' ] # multiple IP's
+#     vif = [ 'ip=192.168.0.16/31' ] # multiple IP's using netmask
+#
 #============================================================================
 
 # Exit if anything goes wrong
 set -e 
 
 echo "vif-route $*"
+
+# Network device connected to the Internet
+wan_dev='eth0'
+echo 1 >/proc/sys/net/ipv4/conf/${wan_dev}/proxy_arp
 
 # Operation name.
 OP=$1
@@ -41,12 +65,12 @@
 # Optional parameters. Set defaults.
 ip=${ip:-''}   # default to null (do nothing)
 
-main_ip=`ifconfig eth0 | grep "inet addr:" | sed -e 's/.*inet 
addr:\(\w\w*\.\w\w*\.\w\w*\.\w\w*\).*/\1/'`
+main_ip=`ifconfig ${wan_dev} | grep "inet addr:" | sed -e 's/.*inet 
addr:\(\w\w*\.\w\w*\.\w\w*\.\w\w*\).*/\1/'`
 
 # Are we going up or down?
 case $OP in
     up)
-        ifconfig ${vif} 169.254.1.0 netmask 255.255.255.255 up
+        ifconfig ${vif} 10.255.255.1 netmask 255.255.255.255 up
         echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
         iptcmd='-A'
         ipcmd='a'
@@ -63,14 +87,16 @@
         ;;
 esac
 
-if [ ${ip} ] ; then
+# Packet filtering
+vif_in="-m physdev --physdev-in ${vif}"
+if [ "${ip}" ] ; then
 
-    # If we've been given a list of IP networks, allow pkts with these src 
addrs.
-    for addr in ${ip} ; do
-      ip r ${ipcmd} ${addr} dev ${vif} src ${main_ip}
-#      iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s ${addr} -j 
ACCEPT
-    done 
+    # Forward only packets with source IP's matching domain's IP's
+    for addr in `echo ${ip}` ; do
+        ( ip r ${ipcmd} ${addr} dev ${vif} src ${main_ip} &>/dev/null )
+        iptables ${iptcmd} FORWARD ${vif_in} -s ${addr} -j ACCEPT
+    done
 
-    # Always allow us to talk to a DHCP server anyhow.
-#    iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -p udp --sport 
68 --dport 67 -j ACCEPT
+    # Drop other packets
+    iptables ${iptcmd} FORWARD ${vif_in} -j DROP
 fi


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.