[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: virtual network access control

Looking at options for a solution for the current version of Xen, we propose netback as the place to enforce the policy. XM tools are not in the network path and do not resolve this problem. Therefore, this problem is different from the general resource access control problem (eg. blockback).

We also thought of extending packet filtering on MAC or IP level but it these options add new software package dependencies, e.g., ebtables or iptables. In addition, re-using existing iptables filters would require switching off the bridge and managing point-to-point rules for a potentially large number of user domains.

We appreciate feedback on the netback approach and we are open to other suggestions that solve this problem.

Sounds like you want to implement a primitive firewall in netback simply to avoid a dependency on the existing mechanisms that Linux has. That doesn't sound a good tradeoff to me, and I think it's unlikely to fly with the kernel maintainers.

The only problem I can see with relying on iptables (other than requiring it to be installed) is that it becomes harder to configure if netback is in a driver domain. Possibly we need to come up with some xenstore<->iptables interface (e.g., run an interfacing daemon in the same domain as netback).

 -- Keir

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.