On Sun, 2007-01-07 at 10:23 +0100, Timo Benk wrote:
> Ligesh wrote:
> > Btw, I would prefer a simplified version, just to limit the incoming and
> > outgoing traffics. Nothing else.
> :-) Well, shaping in- and outgoing traffic is not simple with Xen and tc :-)
>
> I will share the idea, explaining the whole setup is far beyond a
> single posting.
Would be a small book, actually :)
> tc only allows you to shape outgoing traffic. That is the main problem.
> You have two (well, maybe three) opportunities to shape also the
> incoming traffic.
>
> 1. The simple solution: Add a router between the LAN and your Xen host.
> Here you can shape the traffic at the in- and outgoing interface without
> problems.
>
> 2. The complex solution: Instead of a dedicated router, create a
> gateway-domain with two interfaces. One interface is connected to the
> bridge xenbr0, the other interface is connected to a second bridge, xenbr1.
>
>
> ----
> | ----- xenbr0
> | gw | -------
> | ----- xenbr1 ----- |
> ---- | domUs |
> | |
> -------
>
> To make the shaping process transparent in the gateway-domain, create
> another bridge inside the gateway-domain and connect the two interfaces
> to this bridge.
>
> ------
> | ----- xenbr0
> | gw ||| -------
> | ----- xenbr1 ----- |
> ------ | domUs |
> | |
> -------
>
> All the other DomUs are only connected to the bridge xenbr1.
>
Have you played, at all with the OFR (www.vyatta.com) as a guest domain?
I was considering this with a couple of dual nics.
> That way all the traffic from all DomUs is going through xenbr1 to the
> bridge inside the gateway-domain to the bridge xenbr0 and finally to the
> LAN. In short: all traffic passes the gateway-domain.
>
> That makes it possible to shape the traffic at the in- and outgoing
> interface of the gateway domain.
And a handy place to stick SNORT and others. I've tried this kind of
setup but it's been 'choppy' at best. I'm also rather new to ebtables,
I'm assuming you would use ebtables to craft this, do you have some
scripts that you'd like to share?
>
> 3. Use IMQ. In my opinion the simplest and best solution, however, IMQ
> is no part of the standard kernel and the patch does not work anymore
> with the xen kernel.
>
Nothing other than tc/ebtables that I've found works well, and using
tc/ebtables on dom-0 really is only providing an ' emergency brake ' in
the event of a DoS/DDoS attack against any particular guest.
What I'd really like to have, and would love to help work on is a small
(perhaps DSL based?) para-virtualized appliance with a basic web control
panel to help control networking and shaping for guests, as well as
offer bandwidth accounting.
So if you're thinking of taking this beyond an ascii diagram, count me
in :)
>
> HTH,
> Greetings,
> -timo
Best,
--Tim
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|