WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Iptables

To: "Xiaofang Chen" <xiachen@xxxxxxxxxxx>
Subject: Re: [Xen-devel] Iptables
From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>
Date: Mon, 21 Jun 2004 19:26:06 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx
Delivery-date: Mon, 21 Jun 2004 19:27:52 +0100
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: Your message of "Sat, 19 Jun 2004 17:02:20 MDT." <008101c45651$79f251c0$7eb6639b@XFCHEN>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> From the paper "Isolation of Shared Network Resouces in
> XenoServers", it seems that Xen support IPTABLES for each guest
> OS and dom0. Can someone tell me how to use it in Xen? That is,
> how to set those rules for each guest OS?

In the xeno-unstable tree, the guest OS's virtual 'back-end'
interfaces appear as devices in domain0 (e.g. vif1.0 is domain 1
vif 0).

The normal way to configure them is to use brctl (from the
bridge-utils package) to do L2 bridging onto the real network
interface.

If you want to do iptables filtering you'll need to installed the
"ebtables-bridged-nf" patch.

  
http://heanet.dl.sourceforge.net/sourceforge/ebtables/ebtables-brnf-5_vs_2.4.25.diff.gz

The patch will apply to Linux 2.4.26 with fuzz factor 3 (-F3).

The only extra kernel config option you'll probably want to enable is
the IP_NF_MATCH_PHYSDEV

Alternatively, you might be able to do what you want just using
ebtables rather than iptables, in which case you should enable 
BRIDGE_NF_EBTABLES etc.


You'll need a relatively recent version of iptables to support
the physdev option -- the default RH9 1.2.7a doesn't support it.

Once you're running you new domain 0 kernel you'll be able to
configure things in the normal way.

For example to restrict a domain to a specific IP address:

iptables -P FORWARD DROP
iptables -A FORWARD -m physdev --physdev-in vif1.0 -s 129.239.38.221 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out vif1.0 -d 129.239.38.221 -j ACCEPT


Over time, we'll be adding stuff to the management tools to make
configuring IP address restrictions etc easier.

Also, I'll add something to the toplevel Makefile to make
installing the ebtables-bridged-nf patch the default for domain 0
kernels, as I think many people will want it. The patch is
already in mainstream 2.6, so when we make the switch we'll be
able to drop it.


Ian


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>