Re: [Xen-devel] Communication between Domain0 and Domain1
On Jul 18, 2004, at 3:09 PM, Ian Pratt wrote:
I haven't had any problems with bridging, but I agree that the L3
routing solution may be better under some circumstances.
I haven't had great luck with bridging in linux period, not just with
Xen. Fortunately I've rarely needed it.
In any case, the reason I'm personally using VMs is to strictly control
what is allowed in and out of each particular VM and to be able to
control through firewalling anyway, and doing some VM-based solution is
a heck of a lot cheaper than buying a dozen physical pieces of hardware
and putting them all on a DMZ behind a dedicated firewall, especially
if all one of those VMs may be doing is DNS. It's a little more load
on the box overall to have your dom0 doing the packet filtering, but if
your boxes were overloaded anyway, you probably wouldn't be doing VMs.
It would be good to have a 'vif-router' script to use as an
alternative to 'vif-bridge' for users wanting to operate a routed
configuration. If you've got something suitable we could check in
to the repo that would be great. I guess a modified 'network'
script would be required too.
If I can get the VMs stabilized, I'll work on that next since right now
I've just got everything in script I wrote that "brute-force" ups a
bunch of aliases and adds a bunch of NAT rules that I'm running
I haven't looked real close at the bridge config/script so I don't know
if it handles downing a VM gracefully; iptables isn't very good at
dynamically removing rules. You have to know what order they went in
to be able to remove it in the order it was created. i.e. you can
create a rule by saying "from source IP such and destination IP such,
do thusly" but you can't remove it with the same terminology, you have
to say "remove rule number twelve." So bringing up a VIP and assigning
an eth0 alias and creating a NAT rule is pretty easy, but there's no
graceful way to handle removing the NAT rule if you want to down the
The way we've been dealing with this issue where I work, using UML, is
to have the VM "up" and "down" scripts modify a set of iptables rules
to either include or exclude the config for a particular VM, and then
require that the rules be reloaded after up or down a VM which will
re/create any necessary aliases and reload all the iptables rules.
It's not as elegant, but it does work.
"We all enter this world in the | Support Electronic Freedom
same way: naked; screaming; soaked | http://www.eff.org/
in blood. But if you live your | http://www.anti-dmca.org/
life right, that kind of thing |---------------------------
doesn't have to stop there." -- Dana Gould
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Xen-devel mailing list