WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen with 'Routing' scripts

Subject: Re: [Xen-users] Xen with 'Routing' scripts
From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
Date: Sun, 17 Apr 2005 18:56:08 +0200
Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Sun, 17 Apr 2005 16:55:25 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <A95E2296287EAD4EB592B5DEEFCE0E9D1E3BE6@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D1E3BE6@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913)
Ian Pratt wrote:

I guess we want to restrict the dom-U to IP packets with IP/MAC pairs that match previous ARP results. Can ebtables in dom-0 filter this accurately?

Sure. If you don't know all the rules at domain creation time you'll
probably need to cook up your own little daemon to add rules/
I think I might be able to achieve what I want with ebtables by brouting all outgoing traffic. So dom-0 is a router for outgoing traffic but a bridge for incoming traffic. I think I just have to enable ip_forwarding, but otherwise use the xen 'bridging' scripts.

Also, there will be more ARP'ing with bridging, since all the dom-U's will ARP independently (can we short-circuit ARP responses in dom-0?).

Why would you want to? It's hardly high bandwidth.
Well, ARP is broadcast and across all bridged networks. What if the dom-U did an ARP-bomb attack, for example. I don't know really. I guess you could rate limit ARP's with ebtables.

Anyway, if we're brouting outbound traffic, then we can use --arpreply <bogus-address> to short-circuit outbound ARP requests. They're no use anyway, if we're brouting all outbound traffic.

Does this all sound plausible or maybe even sensible?

Thanks for your help
Roland


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>