[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] firewalls and Xen



On Tuesday 14 February 2006 16:38, Luke wrote:
...
> I'd really rather not introduce that complication, since all I need
> to figure out is which virtual interfaces these types of packets go
> from/to.  Plus, I'd really like to understand the packet flow through
> Xen's dom0 and domUs

The flow is something like:

packet arrives at hardware, is handled by dom0 eth driver and appears on 
peth0.
peth0 is bound to to the bridge, so its passed to the bridge from there.
This step is run on ethernet level, no IP addresses are set on peth0 or 
bridge.

Now the bridge distributes the packet, just like a switch would. Filtering at 
this stage would be possible with eb_tables.

now there's a number of vifX.Y connected to the bridge, it decides where to 
put the packet based on the receivers MAC.

the vif iface puts the packet into xen, which then puts the packet back to the 
domain the vif leads to (its also done that way for dom0, hence the 
vif0.0->(v)eth0 pair).

The target device in the dom0/domU finally has an ip address, you can apply 
ip-tables filtering here. 

/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.