WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Communication between Domain0 and Domain1

To: Derek Glidden <dglidden@xxxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Communication between Domain0 and Domain1
From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>
Date: Mon, 19 Jul 2004 10:39:47 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx
Delivery-date: Mon, 19 Jul 2004 10:44:01 +0100
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: Your message of "Sun, 18 Jul 2004 18:29:54 EDT." <FDE9CA8E-D909-11D8-9A53-000A95DBAEDE@xxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> 
> On Jul 18, 2004, at 3:09 PM, Ian Pratt wrote:
> 
> > I haven't had any problems with bridging, but I agree that the L3
> > routing solution may be better under some circumstances.
> 
> I haven't had great luck with bridging in linux period, not just with 
> Xen.  Fortunately I've rarely needed it.
> 
> In any case, the reason I'm personally using VMs is to strictly control 
> what is allowed in and out of each particular VM and to be able to 
> control through firewalling anyway, and doing some VM-based solution is 
> a heck of a lot cheaper than buying a dozen physical pieces of hardware 

With the bridge-nf patch that we build into dom0 by default its
possible to do all the normal iptables firewalling with a bridge setup.

> > It would be good to have a 'vif-router' script to use as an
> > alternative to 'vif-bridge' for users wanting to operate a routed
> > configuration. If you've got something suitable we could check in
> > to the repo that would be great. I guess a modified 'network'
> > script would be required too.
> 
> If I can get the VMs stabilized, I'll work on that next since right now 
> I've just got everything in script I wrote that "brute-force" ups a 
> bunch of aliases and adds a bunch of NAT rules that I'm running 
> manually.
> 
> I haven't looked real close at the bridge config/script so I don't know 
> if it handles downing a VM gracefully; iptables isn't very good at 
> dynamically removing rules.  You have to know what order they went in 
> to be able to remove it in the order it was created.  i.e. you can 
> create a rule by saying "from source IP such and destination IP such, 
> do thusly" but you can't remove it with the same terminology, you have 
> to say "remove rule number twelve."  So bringing up a VIP and assigning 
> an eth0 alias and creating a NAT rule is pretty easy, but there's no 
> graceful way to handle removing the NAT rule if you want to down the 
> VM/VIP.

Yep, iptables isn't so smart. I wander if its possible to do
something by having rules for a particular domain on a single
chain, and then jsut delete the whole chain when a VM dies?

Ian


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel