WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] RFC: virtual network access control

from [Keir Fraser] [Permanent Link][Original]
To: Reiner Sailer <sailer@xxxxxxxxxx>
Subject: Re: [Xen-devel] RFC: virtual network access control
From: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Date: Fri, 28 Jul 2006 10:18:30 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx, Bryan D Payne <bdpayne@xxxxxxxxxx>
Delivery-date: Fri, 28 Jul 2006 02:18:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OFCE04E500.B486243B-ON852571B8.006F2127-852571B8.00729D76@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OFCE04E500.B486243B-ON852571B8.006F2127-852571B8.00729D76@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Looking at options for a solution for the current version of Xen, we propose netback as the place to enforce the policy. XM tools are not in the network path and do not resolve this problem. Therefore, this problem is different from the general resource access control problem (eg. blockback).
We also thought of extending packet filtering on MAC or IP level but it these options add new software package dependencies, e.g., ebtables or iptables. In addition, re-using existing iptables filters would require switching off the bridge and managing point-to-point rules for a potentially large number of user domains.
We appreciate feedback on the netback approach and we are open to other suggestions that solve this problem.
Sounds like you want to implement a primitive firewall in netback simply to avoid a dependency on the existing mechanisms that Linux has. That doesn't sound a good tradeoff to me, and I think it's unlikely to fly with the kernel maintainers.
The only problem I can see with relying on iptables (other than requiring it to be installed) is that it becomes harder to configure if netback is in a driver domain. Possibly we need to come up with some xenstore<->iptables interface (e.g., run an interfacing daemon in the same domain as netback). 

 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Do we have a hypercall that sets up p2m mapping for another domain, Li, Xin B
Next by Date:  Re: [Xen-devel] Do we have a hypercall that sets up p2m mapping for another domain, Keir Fraser
Previous by Thread:  RE: [Xen-devel] RFC: virtual network access control, Caitlin Bestler
Next by Thread:  Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy