This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] vif-bridge question

To: "Matthieu" <matxen@xxxxxxxxx>
Subject: Re: [Xen-devel] vif-bridge question
From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>
Date: Tue, 23 Nov 2004 23:27:38 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx
Delivery-date: Tue, 23 Nov 2004 23:54:08 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: Your message of "Tue, 23 Nov 2004 23:39:34 +0100." <506467112735ec7c0121f9b9605e579d@xxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> On November 22, 9:30 am Ian Pratt <Ian.Pratt@xxxxxxxxxxxx> wrote:
> >
> > >  in /etc/xen/scripts/vif-bridge there is this snippet of code:
> > >
> > >  if [ ${ip} ] ; then
> > >
> > >      # If we've been given a list of IP networks, allow pkts with these
> > >  src addrs.
> > >      for addr in ${ip} ; do
> > >          iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s
> > >  ${addr} -j ACCEPT
> here vif will be something like vif34.0 how it is viewed by the briding
> code ? (as an standard ethxx interface ?)

Yep, 'vif4.0' appears as a normal ethernet interface as far as
the linux bridge code is concerned. You can think of the vif as
being connected by a crossover cable to the eth0 in the guest.
> I use antispoof but i've been obligied to modified the rule this way :
> iptables ${iptcmd} FORWARD  -m physdev --physdev-out ${interface} -J ACCEPT
> in order to allow a xenU domain to talk with another computer on my
> network.

Does that make any sense? You're not actually forcing packets
from the vif to have a particular src IP addr, which was the
intention of the antispoof rule.
You might as well run with antispoof off.

> In order to allow two xenU domain on the same machine to talk i'm also
> obliged to  add thoses two more rules :
> iptables ${iptcmd} FORWARD  -i ${vif} -J ACCEPT 
> iptables ${iptcmd} FORWARD  -o ${vif} -J ACCEPT 
> I'm obliged to add this because i don't specify an ip adress in xenU
> configuration file so it skip the piece of code you put upper.
> You may ask why i don't specify the ip in the xenU domain file.
> There is in my point of viex two case:
> * XenU has a dhcp adress and so if the interface get its adress from DHCP
> specifing is useless ...

Antispoof only make sense if you know what IP addr the guest
should be using. If you're using a DHCP server handing out static
addresses that's not a problem. If they're truly dynamic then
you're going to have to either parse the logs of the DHCP server
or snoop and process the DHCP reply. Grim.

> * XenU has a fixed adress, well for the moment i prefer to specify the
> address also in the interface file (in debian) so specifing it this file +
> xenU is redondant and may introduce errors when i'll change the address.

Sure, but that's kind of the whole point of antispoof ;-)


SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>