|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] RFC: virtual network access control
Keir Fraser <Keir.Fraser@xxxxxxxxxxxx> wrote on 07/28/2006 05:18:30 AM: > Sounds like you want to implement a primitive firewall in netback > simply to avoid a dependency on the existing mechanisms that Linux has. > That doesn't sound a good tradeoff to me, and I think it's unlikely to > fly with the kernel maintainers. We are interested in controlling access based on the security labels of sender and receiver domains, not based on IP or other traditional firewall packet attributes. > The only problem I can see with relying on iptables (other than > requiring it to be installed) is that it becomes harder to configure if > netback is in a driver domain. Possibly we need to come up with some > xenstore<->iptables interface (e.g., run an interfacing daemon in the > same domain as netback). We see other problems as well: IPtables seems to not see any of the ethernet-bridged packets. If you wanted to use IPtables then you would need to replace the ethernet bridge with routing each packet. Reiner _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |