[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Communication between Domain0 and Domain1
> > On Jul 18, 2004, at 3:09 PM, Ian Pratt wrote: > > > I haven't had any problems with bridging, but I agree that the L3 > > routing solution may be better under some circumstances. > > I haven't had great luck with bridging in linux period, not just with > Xen. Fortunately I've rarely needed it. > > In any case, the reason I'm personally using VMs is to strictly control > what is allowed in and out of each particular VM and to be able to > control through firewalling anyway, and doing some VM-based solution is > a heck of a lot cheaper than buying a dozen physical pieces of hardware With the bridge-nf patch that we build into dom0 by default its possible to do all the normal iptables firewalling with a bridge setup. > > It would be good to have a 'vif-router' script to use as an > > alternative to 'vif-bridge' for users wanting to operate a routed > > configuration. If you've got something suitable we could check in > > to the repo that would be great. I guess a modified 'network' > > script would be required too. > > If I can get the VMs stabilized, I'll work on that next since right now > I've just got everything in script I wrote that "brute-force" ups a > bunch of aliases and adds a bunch of NAT rules that I'm running > manually. > > I haven't looked real close at the bridge config/script so I don't know > if it handles downing a VM gracefully; iptables isn't very good at > dynamically removing rules. You have to know what order they went in > to be able to remove it in the order it was created. i.e. you can > create a rule by saying "from source IP such and destination IP such, > do thusly" but you can't remove it with the same terminology, you have > to say "remove rule number twelve." So bringing up a VIP and assigning > an eth0 alias and creating a NAT rule is pretty easy, but there's no > graceful way to handle removing the NAT rule if you want to down the > VM/VIP. Yep, iptables isn't so smart. I wander if its possible to do something by having rules for a particular domain on a single chain, and then jsut delete the whole chain when a VM dies? Ian ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |