WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Xen with 'Routing' scripts

To: "Roland Paterson-Jones" <roland@xxxxxxxxxxxx>, "xen-users" <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Xen with 'Routing' scripts
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Sun, 17 Apr 2005 17:19:54 +0100
Cc: ian.pratt@xxxxxxxxxxxx
Delivery-date: Sun, 17 Apr 2005 16:19:49 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcVDZfEidINptxkGQma1jNw65AK9FgAAvP7Q
Thread-topic: [Xen-users] Xen with 'Routing' scripts
> Can we ensure that dom-U is not sending ethernet packets with 
> fake destination mac addresses if we're using bridging?

Sure. Just add the apprioriate netfilter or ebtables rules to
'vif-bridge'.
 
> How do we prevent a dom-U filling up our LAN with bogus 
> ethernet addresses?

There's an example of a netfilter rule to prevent spoofing of bogus src
IP addrs.

> I guess we want to restrict the dom-U to IP packets with 
> IP/MAC pairs that match previous ARP results. Can ebtables in 
> dom-0 filter this accurately?

Sure. If you don't know all the rules at domain creation time you'll
probably need to cook up your own little daemon to add rules/

> Also, there will be more ARP'ing with bridging, since all the 
> dom-U's will ARP independently (can we short-circuit ARP 
> responses in dom-0?).

Why would you want to? It's hardly high bandwidth.

Ian

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>