[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
Date: Mon, 18 Apr 2005 16:02:41 +0200
Delivery-date: Mon, 18 Apr 2005 14:01:57 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>



Nils Toedtmann wrote:

Am Sonntag, den 17.04.2005, 18:56 +0200 schrieb Roland Paterson-Jones:
I think I might be able to achieve what I want with ebtables by broutingall outgoing traffic.
What is "brouting"? There's an ebtables chain with that name, but i
never heard this term (yet) as a name for a network topology ...?

I would call it a hack rather than a network topology. The onlyadvantage is that dom-0 doesn't have to know the dom-U IP addresses, butcan still exert firm control over traffic from dom-U's.

So dom-0 is a router for outgoing traffic but abridge for incoming traffic.
Ah! Is that standard terminology?

I doubt it ;)

What advantage you gain over proper bridging?

I'm assuming iptables doesn't see bridged ethernet traffic(!?) So usingebtables' brouting forces the outbound IP traffic through IP routingletting iptables take a look.

At domU creation time, dom0 knows it's dedicated MAC, and (according to
your own rules) the according IP of that domU. As Ian wrote: extend the
vif-bridge (which now knows the IP/MAC/VIF combination) using

The MAC -> IP mapping is a pain with DHCP, cos dhcpd scripting doesn'textend to mangling the hardware address into the resulting (fixed) IPaddress. In the prototype, I had a hard-coded rule for each MAC -> IP.This is not very scalable!

However, another way to do it is to use iptables to QUEUE DHCP responsesto a custom ipq app which pulls out the IP address and does the same. Inother words, to sniff the DHCP allocations in dom-0.

And, yes, I think you DO need to know the IP address to do effectivefirewalling in dom-0. Previously, I was hoping to avoid dom-0 knowingthe IP address at all by using bridging.

* iptables to enforce the correct IP (--> no IP spoofing)

Does iptables get to see ethernet-bridged traffic? I thought ethernettraffic snuck through under the iptables radar since it doesn't(shouldn't?) touch the IP stack.


Thanks again for the frank discussion
Roland




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Xen with 'Routing' scripts
  - From: Nils Toedtmann

References:
- RE: [Xen-users] Xen with 'Routing' scripts
  - From: Ian Pratt
- Re: [Xen-users] Xen with 'Routing' scripts
  - From: Roland Paterson-Jones
- Re: [Xen-users] Xen with 'Routing' scripts
  - From: Nils Toedtmann

Prev by Date: Re: [Xen-users] troubles when building 64bit XEN
Next by Date: Re: [Xen-users] troubles when building 64bit XEN
Previous by thread: Re: [Xen-users] Xen with 'Routing' scripts
Next by thread: Re: [Xen-users] Xen with 'Routing' scripts
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.