[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

  • From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
  • Date: Sun, 17 Apr 2005 18:56:08 +0200
  • Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Sun, 17 Apr 2005 16:55:25 +0000
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Ian Pratt wrote:

I guess we want to restrict the dom-U to IP packets with IP/MAC pairs that match previous ARP results. Can ebtables in dom-0 filter this accurately?

Sure. If you don't know all the rules at domain creation time you'll
probably need to cook up your own little daemon to add rules/
I think I might be able to achieve what I want with ebtables by brouting all outgoing traffic. So dom-0 is a router for outgoing traffic but a bridge for incoming traffic. I think I just have to enable ip_forwarding, but otherwise use the xen 'bridging' scripts.

Also, there will be more ARP'ing with bridging, since all the dom-U's will ARP independently (can we short-circuit ARP responses in dom-0?).

Why would you want to? It's hardly high bandwidth.
Well, ARP is broadcast and across all bridged networks. What if the dom-U did an ARP-bomb attack, for example. I don't know really. I guess you could rate limit ARP's with ebtables.

Anyway, if we're brouting outbound traffic, then we can use --arpreply <bogus-address> to short-circuit outbound ARP requests. They're no use anyway, if we're brouting all outbound traffic.

Does this all sound plausible or maybe even sensible?

Thanks for your help

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.