[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

  • From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
  • Date: Mon, 18 Apr 2005 16:30:40 +0200
  • Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 18 Apr 2005 14:29:58 +0000
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Nils Toedtmann wrote:

Am Montag, den 18.04.2005, 16:02 +0200 schrieb Roland Paterson-Jones:
Does iptables get to see ethernet-bridged traffic? I thought ethernet traffic snuck through under the iptables radar since it doesn't (shouldn't?) touch the IP stack.

That depends. In the old days of linux-2.4 you needed the br-nf-patch
from the ebtables site to make bridged ip packets visible to iptable.
But as i already said there is now "CONFIG_BRIDGE_NETFILTER" in
linux-2.6: if you compile a kernel with "CONFIG_BRIDGE_NETFILTER=y" (as
all distributers i know do and as xen does in it's default dom0 config)
then iptables sees every forwarded frame which has ethertype 0x0800
(IPv4). If you want it more detailed, see this netfilter/ebtables flow

So: everything you want to filter you can filter with bridging.
Cool. That makes it much easier. I must admit I missed the significance of your CONFIG_BRIDGE_NETFILTER comment last time.

Now really, the only ugly part is discovering/forcing the dom-U IP addresses.

Thanks again

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.