[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Network filtering setup

  • To: xen-devel <Xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: Jacob Gorm Hansen <jacobg@xxxxxxx>
  • Date: Fri, 22 Dec 2006 15:25:59 +0100
  • Delivery-date: Fri, 22 Dec 2006 06:26:10 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:subject:from:to:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding:sender; b=VulpIzqipYTEvMN7m+r56IN769vIeOzQ7s+2V5usY8N5uaNX3zwLheGwhYIlZZEBihMA321k0+9oCp/BSeqKquLhCyLBsuGgGsBBt6GfRk0BRiYvwKe14Se29mfKaB1sOXUxVsFqnWL+2X4Q4GyF2ryomxx4NpgVNUOlMVHiW5Y=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>


back in Xen 1.x days I had this wonderful setup where I did not have to
bother with vifs and bridges or fake MAC addresses, and the following
piece of C in dom0:

void setup_vfr_rules_for_vif(int dom,int vif,char* guest_ip)
    int f = open("/proc/xen/vfr",O_WRONLY);
    char s[256];
    sprintf(s,"ADD ACCEPT dstaddr=%s dstaddrmask= src=ANY
dstdom=%d dstidx=%d proto=any\n", guest_ip,dom,0 );
    sprintf(s,"ADD ACCEPT srcaddr=%s srcaddrmask= srcdom=
%d srcidx=%d dst=PHYS proto=any\n",guest_ip,dom,0 );

Would allow a domU to send and receive IP traffic through eth0,
including somehow magically getting ARP request answered our routed to
the right place.

I have been trying various things to get the same effect in Xen 3.x, but
to be honest my iptables knowledge is a bit rusty, so all I have been
able to come up with is a routed setup, but that only seems to work when
all the peers have the host hardcoded into their routing tables.

Does anyone have the perfect setup (list of iptables commands I suppose)
for this, preferable without bridging at the Ethernet layer?
NAT/Masquerading is not an option, as I prefer not to have any state
kept in dom0.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.