WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] Bridge Hopping

from [Jonathan Tripathy] [Permanent Link][Original]
To: "Fajar A. Nugraha" <fajar@xxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Bridge Hopping
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Thu, 15 Jul 2010 09:28:43 +0100
Cc:
Delivery-date: Thu, 15 Jul 2010 01:31:47 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4C3E2A8A.9040408@xxxxxxxxxxx><64D0546C5EBBD147B75DE133D798665F06A11C24@xxxxxxxxxxxxxxxxx><46C13AA90DB8844DAB79680243857F0F0AFDAF@xxxxxxxxxxxxxxxxxxx> <AANLkTikCXcbzyeN5w5ciSIbUO-HqPaKwU7EX2m7YAcjh@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acsj9KE2GtFUMeotTFC+7R5nUmw6PgAAxrqo
Thread-topic: [Xen-users] Bridge Hopping

 

From: Fajar A. Nugraha [mailto:fajar@xxxxxxxxx]
Sent: Thu 15/07/2010 09:06
To: Jonathan Tripathy
Cc: Xen User-List
Subject: Re: [Xen-users] Bridge Hopping

On Thu, Jul 15, 2010 at 2:49 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
> My question was whether the
> Dom0 could "forward" packets from one bridge to the other (This is what I
> wish to prevent). The 2 bridges that don't have an ip address assigned have
> untrusted clients connected to them

Under normal circumstances, no. Dom0 would forward traffic from one
bridge to another if they have ip address, and dom0 is setup to
function as a router. That is, dom0 would treat the bridge the same
way as it treats other interface. So if it does not have an IP address
on dom0 side, dom0 can't forward traffic from one bridge to another.

Note that I said "under normal circumstances". You should be able to
make it behave otherwise using things like
http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/
, or by creating some userland program that uses libpcap.

--
Fajar

------------------------------------------------------------------------------------------------------

Thanks Fajar.

Nope, I'm not doing anything like the above. I am doing filtering on the Dom0 though (using network-bridge and vif-bridge), however as you say, since the bridges have no ip address, Dom0 can't route between the bridges and no traffic should "leek" from on ebridge to the other, correct?

Thanks

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Bridge Hopping, Fajar A. Nugraha
Next by Date:  [Xen-users] how to complie 2.6.34 dom0 kernel to bzImage (Nothing to be done for `bzImage), lei yang
Previous by Thread:  Re: [Xen-users] Bridge Hopping, Fajar A. Nugraha
Next by Thread:  [Xen-users] PCI passtrough with Xen 4.0.0-rc3, Ady Deac
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy