[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] Iptables
> From the paper "Isolation of Shared Network Resouces in
> XenoServers", it seems that Xen support IPTABLES for each guest
> OS and dom0. Can someone tell me how to use it in Xen? That is,
> how to set those rules for each guest OS?
In the xeno-unstable tree, the guest OS's virtual 'back-end'
interfaces appear as devices in domain0 (e.g. vif1.0 is domain 1
The normal way to configure them is to use brctl (from the
bridge-utils package) to do L2 bridging onto the real network
If you want to do iptables filtering you'll need to installed the
The patch will apply to Linux 2.4.26 with fuzz factor 3 (-F3).
The only extra kernel config option you'll probably want to enable is
Alternatively, you might be able to do what you want just using
ebtables rather than iptables, in which case you should enable
You'll need a relatively recent version of iptables to support
the physdev option -- the default RH9 1.2.7a doesn't support it.
Once you're running you new domain 0 kernel you'll be able to
configure things in the normal way.
For example to restrict a domain to a specific IP address:
iptables -P FORWARD DROP
iptables -A FORWARD -m physdev --physdev-in vif1.0 -s 126.96.36.199 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out vif1.0 -d 188.8.131.52 -j ACCEPT
Over time, we'll be adding stuff to the management tools to make
configuring IP address restrictions etc easier.
Also, I'll add something to the toplevel Makefile to make
installing the ebtables-bridged-nf patch the default for domain 0
kernels, as I think many people will want it. The patch is
already in mainstream 2.6, so when we make the switch we'll be
able to drop it.
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
Xen-devel mailing list