| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
Re: [Xen-devel] vif-bridge question
> On November 22, 9:30 am Ian Pratt <Ian.Pratt@xxxxxxxxxxxx> wrote:
> >
> > > in /etc/xen/scripts/vif-bridge there is this snippet of code:
> > >
> > > if [ ${ip} ] ; then
> > >
> > > # If we've been given a list of IP networks, allow pkts with these
> > > src addrs.
> > > for addr in ${ip} ; do
> > > iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s
> > > ${addr} -j ACCEPT
> here vif will be something like vif34.0 how it is viewed by the briding
> code ? (as an standard ethxx interface ?)
Yep, 'vif4.0' appears as a normal ethernet interface as far as
the linux bridge code is concerned. You can think of the vif as
being connected by a crossover cable to the eth0 in the guest.
> I use antispoof but i've been obligied to modified the rule this way :
> iptables ${iptcmd} FORWARD -m physdev --physdev-out ${interface} -J ACCEPT
> in order to allow a xenU domain to talk with another computer on my
> network.
Does that make any sense? You're not actually forcing packets
from the vif to have a particular src IP addr, which was the
intention of the antispoof rule.
You might as well run with antispoof off.
> In order to allow two xenU domain on the same machine to talk i'm also
> obliged to add thoses two more rules :
>
> iptables ${iptcmd} FORWARD -i ${vif} -J ACCEPT
> iptables ${iptcmd} FORWARD -o ${vif} -J ACCEPT
> I'm obliged to add this because i don't specify an ip adress in xenU
> configuration file so it skip the piece of code you put upper.
>
> You may ask why i don't specify the ip in the xenU domain file.
> There is in my point of viex two case:
> * XenU has a dhcp adress and so if the interface get its adress from DHCP
> specifing is useless ...
Antispoof only make sense if you know what IP addr the guest
should be using. If you're using a DHCP server handing out static
addresses that's not a problem. If they're truly dynamic then
you're going to have to either parse the logs of the DHCP server
or snoop and process the DHCP reply. Grim.
> * XenU has a fixed adress, well for the moment i prefer to specify the
> address also in the interface file (in debian) so specifing it this file +
> xenU is redondant and may introduce errors when i'll change the address.
Sure, but that's kind of the whole point of antispoof ;-)
Ian
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
|
|
|
| |
|
Home