[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] RFC: virtual network access control
Looking at options for a solution for the current version of Xen, we
propose netback as the place to enforce the policy. XM tools are not
in the network path and do not resolve this problem. Therefore, this
problem is different from the general resource access control problem
We also thought of extending packet filtering on MAC or IP level but
it these options add new software package dependencies, e.g., ebtables
or iptables. In addition, re-using existing iptables filters would
require switching off the bridge and managing point-to-point rules for
a potentially large number of user domains.
We appreciate feedback on the netback approach and we are open to
other suggestions that solve this problem.
Sounds like you want to implement a primitive firewall in netback
simply to avoid a dependency on the existing mechanisms that Linux has.
That doesn't sound a good tradeoff to me, and I think it's unlikely to
fly with the kernel maintainers.
The only problem I can see with relying on iptables (other than
requiring it to be installed) is that it becomes harder to configure if
netback is in a driver domain. Possibly we need to come up with some
xenstore<->iptables interface (e.g., run an interfacing daemon in the
same domain as netback).
Xen-devel mailing list