Re: [Xen-users] Xen 3.4.2 networking help

[Simon Hobson <linux@xxxxxxxxxxxxxxxx>]

Jonathan Tripathy wrote:

> > The biggest issue with iptables and bridging is that you cannot 
> > restrict traffic which is outbound from the machine with the bridge 
> > (ie your Dom0) - you can restrict/control all inbound and forwarded 
> > traffic.
> I'm not sure what you mean by this? On my Xen nodes, I have 2 NICs. 
> NIC1 is connected to a public bridge (which has no IP assigned) 
> which all the DomUs are connected to. I use ebtables and iptables to 
> make sure that no traffic from NIC1 can get onto the INPUT chain of 
> the Dom0. NIC2 is connected to a private bridge which my Dom0 has an 
> ip assigned to it. I also have some private DomUs connected to this 
> bridge.
When a bridge is involved, there is a problem with physdev match (if 
I recall correctly) which means that outbound traffic on the firewall 
machine cannot be filtered because of the sequence in which the net 
stack does operations. The practical result is that you cannot apply 
rules filtering traffic which originates on the firewall and leaves 
via a bridge interface. I vaguely recall it's to do with the 
matching/filtering happening before the outbound interface is 
determined - and that in turn is related to requirements for handling 
VPN traffic. You can still filter inbound traffic, and you can still 
forward transiting traffic - it's only outbound traffic that 
originates on the firewall that is a problem.
That is my understanding from following the Shorewall list for some time.

> > Unfortunately, to do this will mean running iptables/ebtables 
> > scripts each time you start a guest and it's new VIFs are 
> > configured. I'm not aware of any pre-existing scripts to do this.
> I have made scripts to do this on my setup. It's very each. You have 
> to create a new vif-bridge file for each DomU in /etc/xen/scripts 
> (vif-bridge-x) and set the DomU config to use the respective file. 
> Then in each vif-bridge-x file, comment out "handle_iptable" and 
> call another script (iptables-up-x and iptables-down-x) which runs 
> the correct iptables commands. You could also put the iptables calls 
> directly in the vif-bridge-x file, however i keep them separate just 
> to keep things neat. It also means I can call my iptables-up-x and 
> iptables-down-x scripts without rebooting the DomU. I have also give 
> each DomU an incoming chain and outgoing chain, meaning I can add 
> rules easily which only apply to each DomU. I make heavy use of 
> physdev.
I don't have a need for this myself at the moment. It might well be 
useful to others if you could upload examples to the Wiki - IIRC this 
question has come up several times in various forms.
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users