[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

  • To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
  • Date: Mon, 18 Apr 2005 16:02:41 +0200
  • Delivery-date: Mon, 18 Apr 2005 14:01:57 +0000
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Nils Toedtmann wrote:

Am Sonntag, den 17.04.2005, 18:56 +0200 schrieb Roland Paterson-Jones:
I think I might be able to achieve what I want with ebtables by brouting all outgoing traffic.

What is "brouting"? There's an ebtables chain with that name, but i
never heard this term (yet) as a name for a network topology ...?
I would call it a hack rather than a network topology. The only advantage is that dom-0 doesn't have to know the dom-U IP addresses, but can still exert firm control over traffic from dom-U's.

So dom-0 is a router for outgoing traffic but a bridge for incoming traffic.

Ah! Is that standard terminology?
I doubt it ;)

What advantage you gain over proper bridging?
I'm assuming iptables doesn't see bridged ethernet traffic(!?) So using ebtables' brouting forces the outbound IP traffic through IP routing letting iptables take a look.

At domU creation time, dom0 knows it's dedicated MAC, and (according to
your own rules) the according IP of that domU. As Ian wrote: extend the
vif-bridge (which now knows the IP/MAC/VIF combination) using
The MAC -> IP mapping is a pain with DHCP, cos dhcpd scripting doesn't extend to mangling the hardware address into the resulting (fixed) IP address. In the prototype, I had a hard-coded rule for each MAC -> IP. This is not very scalable!

However, another way to do it is to use iptables to QUEUE DHCP responses to a custom ipq app which pulls out the IP address and does the same. In other words, to sniff the DHCP allocations in dom-0.

And, yes, I think you DO need to know the IP address to do effective firewalling in dom-0. Previously, I was hoping to avoid dom-0 knowing the IP address at all by using bridging.

* iptables to enforce the correct IP (--> no IP spoofing)
Does iptables get to see ethernet-bridged traffic? I thought ethernet traffic snuck through under the iptables radar since it doesn't (shouldn't?) touch the IP stack.

Thanks again for the frank discussion

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.