|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Xen with 'Routing' scripts
Nils Toedtmann wrote: Cool. That makes it much easier. I must admit I missed the significance of your CONFIG_BRIDGE_NETFILTER comment last time.Am Montag, den 18.04.2005, 16:02 +0200 schrieb Roland Paterson-Jones:Does iptables get to see ethernet-bridged traffic? I thought ethernet traffic snuck through under the iptables radar since it doesn't (shouldn't?) touch the IP stack.That depends. In the old days of linux-2.4 you needed the br-nf-patch from the ebtables site to make bridged ip packets visible to iptable. But as i already said there is now "CONFIG_BRIDGE_NETFILTER" in linux-2.6: if you compile a kernel with "CONFIG_BRIDGE_NETFILTER=y" (as all distributers i know do and as xen does in it's default dom0 config) then iptables sees every forwarded frame which has ethertype 0x0800 (IPv4). If you want it more detailed, see this netfilter/ebtables flow chart:<http://l7-filter.sourceforge.net/PacketFlow.png>So: everything you want to filter you can filter with bridging. Now really, the only ugly part is discovering/forcing the dom-U IP addresses. Thanks again Roland _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |
