WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Patch for Improved vif-route

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Patch for Improved vif-route
From: Andy Lee <andylee@xxxxxxxx>
Date: Tue, 23 Aug 2005 14:47:03 -0700
Cc: Ian Pratt <m+Ian.Pratt@xxxxxxxxxxxx>
Delivery-date: Tue, 23 Aug 2005 21:45:16 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Here's my version of vif-route, which filters packets to/from domU.  

This is my first time submitting a patch.  Am I suppose to add '[PATCH]' to the 
subject line?  Or is there a web-based patch submission that I don't know about?
diff -r 8d655336fd69 -r 2ce5a2fb29d8 tools/examples/vif-route
--- a/tools/examples/vif-route  Tue Aug 23 21:15:18 2005
+++ b/tools/examples/vif-route  Tue Aug 23 21:25:45 2005
@@ -19,12 +19,36 @@
 # vif     vif interface name (required).
 # mac     vif MAC address (required).
 # ip      list of IP networks for the vif, space-separated (optional).
+#
+# Additional Notes: 
+#
+#   This script requires the following Dom0 kernel options:
+#
+#     CONFIG_IP_ADVANCED_ROUTER=y
+#     CONFIG_IP_MULTIPLE_TABLES=y
+#     CONFIG_BRIDGE_NETFILTER=y
+#     CONFIG_IP_NF_IPTABLES=y
+#     CONFIG_IP_NF_MATCH_IPRANGE=y
+#     CONFIG_IP_NF_MATCH_PHYSDEV=y
+#     CONFIG_IP_NF_FILTER=y
+#
+#   DomU configuration file must declare domain's IP addresses via vif.
+#
+#   Examples: 
+#     vif = [ 'ip=192.168.0.16, vif=vif1.0' ]
+#     vif = [ 'ip=192.168.0.16 192.168.0.17' ] # multiple IP's
+#     vif = [ 'ip=192.168.0.16/31' ] # multiple IP's using netmask
+#
 #============================================================================
 
 # Exit if anything goes wrong
 set -e 
 
 echo "vif-route $*"
+
+# Network device connected to the Internet
+wan_dev='eth0'
+echo 1 >/proc/sys/net/ipv4/conf/${wan_dev}/proxy_arp
 
 # Operation name.
 OP=$1
@@ -41,12 +65,12 @@
 # Optional parameters. Set defaults.
 ip=${ip:-''}   # default to null (do nothing)
 
-main_ip=`ifconfig eth0 | grep "inet addr:" | sed -e 's/.*inet 
addr:\(\w\w*\.\w\w*\.\w\w*\.\w\w*\).*/\1/'`
+main_ip=`ifconfig ${wan_dev} | grep "inet addr:" | sed -e 's/.*inet 
addr:\(\w\w*\.\w\w*\.\w\w*\.\w\w*\).*/\1/'`
 
 # Are we going up or down?
 case $OP in
     up)
-        ifconfig ${vif} 169.254.1.0 netmask 255.255.255.255 up
+        ifconfig ${vif} 10.255.255.1 netmask 255.255.255.255 up
         echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
         iptcmd='-A'
         ipcmd='a'
@@ -63,14 +87,16 @@
         ;;
 esac
 
-if [ ${ip} ] ; then
+# Packet filtering
+vif_in="-m physdev --physdev-in ${vif}"
+if [ "${ip}" ] ; then
 
-    # If we've been given a list of IP networks, allow pkts with these src 
addrs.
-    for addr in ${ip} ; do
-      ip r ${ipcmd} ${addr} dev ${vif} src ${main_ip}
-#      iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s ${addr} -j 
ACCEPT
-    done 
+    # Forward only packets with source IP's matching domain's IP's
+    for addr in `echo ${ip}` ; do
+        ( ip r ${ipcmd} ${addr} dev ${vif} src ${main_ip} &>/dev/null )
+        iptables ${iptcmd} FORWARD ${vif_in} -s ${addr} -j ACCEPT
+    done
 
-    # Always allow us to talk to a DHCP server anyhow.
-#    iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -p udp --sport 
68 --dport 67 -j ACCEPT
+    # Drop other packets
+    iptables ${iptcmd} FORWARD ${vif_in} -j DROP
 fi

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>