[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Xen with 'Routing' scripts

To: "Roland Paterson-Jones" <roland@xxxxxxxxxxxx>, "xen-users" <xen-users@xxxxxxxxxxxxxxxxxxx>
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Sun, 17 Apr 2005 17:19:54 +0100
Cc: ian.pratt@xxxxxxxxxxxx
Delivery-date: Sun, 17 Apr 2005 16:19:49 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>
Thread-index: AcVDZfEidINptxkGQma1jNw65AK9FgAAvP7Q
Thread-topic: [Xen-users] Xen with 'Routing' scripts

> Can we ensure that dom-U is not sending ethernet packets with 
> fake destination mac addresses if we're using bridging?

Sure. Just add the apprioriate netfilter or ebtables rules to
'vif-bridge'.
 
> How do we prevent a dom-U filling up our LAN with bogus 
> ethernet addresses?

There's an example of a netfilter rule to prevent spoofing of bogus src
IP addrs.

> I guess we want to restrict the dom-U to IP packets with 
> IP/MAC pairs that match previous ARP results. Can ebtables in 
> dom-0 filter this accurately?

Sure. If you don't know all the rules at domain creation time you'll
probably need to cook up your own little daemon to add rules/

> Also, there will be more ARP'ing with bridging, since all the 
> dom-U's will ARP independently (can we short-circuit ARP 
> responses in dom-0?).

Why would you want to? It's hardly high bandwidth.

Ian

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Xen with 'Routing' scripts
  - From: Roland Paterson-Jones

Prev by Date: Re: [Xen-users] Xen with 'Routing' scripts
Next by Date: Re: [Xen-users] Xen with 'Routing' scripts
Previous by thread: Re: [Xen-users] Xen with 'Routing' scripts
Next by thread: Re: [Xen-users] Xen with 'Routing' scripts
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.