|  |  | 
  
    |  |  | 
 
  |   |  | 
  
    |  |  | 
  
    |  |  | 
  
    |   xen-users
Re: [Xen-users] Xen with 'Routing' scripts 
| 
Nils Toedtmann wrote:
 Am Sonntag, den 17.04.2005, 18:56 +0200 schrieb Roland Paterson-Jones: 
 
I would call it a hack rather than a network topology. The only 
advantage is that dom-0 doesn't have to know the dom-U IP addresses, but 
can still exert firm control over traffic from dom-U's.I think I might be able to achieve what I want with ebtables by brouting 
all outgoing traffic.
   
 
What is "brouting"? There's an ebtables chain with that name, but i
never heard this term (yet) as a name for a network topology ...?
 
 So dom-0 is a router for outgoing traffic but a 
bridge for incoming traffic.
   
 
Ah! Is that standard terminology?
 
I doubt it ;)
 I'm assuming iptables doesn't see bridged ethernet traffic(!?) So using 
ebtables' brouting forces the outbound IP traffic through IP routing 
letting iptables take a look.
What advantage you gain over proper bridging?
 
 The MAC -> IP mapping is a pain with DHCP, cos dhcpd scripting doesn't 
extend to mangling the hardware address into the resulting (fixed) IP 
address. In the prototype, I had a hard-coded rule for each MAC -> IP. 
This is not very scalable!
At domU creation time, dom0 knows it's dedicated MAC, and (according to
your own rules) the according IP of that domU. As Ian wrote: extend the
vif-bridge (which now knows the IP/MAC/VIF combination) using
 
However, another way to do it is to use iptables to QUEUE DHCP responses 
to a custom ipq app which pulls out the IP address and does the same. In 
other words, to sniff the DHCP allocations in dom-0. 
And, yes, I think you DO need to know the IP address to do effective 
firewalling in dom-0. Previously, I was hoping to avoid dom-0 knowing 
the IP address at all by using bridging. 
 Does iptables get to see ethernet-bridged traffic? I thought ethernet 
traffic snuck through under the iptables radar since it doesn't 
(shouldn't?) touch the IP stack.
* iptables to enforce the correct IP (--> no IP spoofing)
 
Thanks again for the frank discussion
Roland
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
 | 
 |  | 
  
    |  |  |