[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] vif-bridge question

On November 22, 9:30 am Ian Pratt <Ian.Pratt@xxxxxxxxxxxx> wrote:
>
> >  in /etc/xen/scripts/vif-bridge there is this snippet of code:
> >
> >  if [ ${ip} ] ; then
> >
> >      # If we've been given a list of IP networks, allow pkts with these
> >  src addrs.
> >      for addr in ${ip} ; do
> >          iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s
> >  ${addr} -j ACCEPT
here vif will be something like vif34.0 how it is viewed by the briding
code ? (as an standard ethxx interface ?)

Because i'm wondering if this rule will be matched by netfilter.

> >      done
> >
> >
> >  The ip list is a command line argument.  My question where is the
> >  domain config file can I specify the IP's that will be sent to
> >  vif-bridge?  I tried:
> >
> >  ip="1.1.1.1/32 1.1.1.2/32" and other variations but I just get illegal
> >  kernel boot option.
>
> As I recall, it's looking for a comma separated list of IP addrs
> ip="1.2.3.4,2.3.4.5"
>
> I don't think the 'antispoof' stuff in vif-bridge is widely used
> as most people that want to do firewalling roll their own.
>
I use antispoof but i've been obligied to modified the rule this way :
iptables ${iptcmd} FORWARD  -m physdev --physdev-out ${interface} -J ACCEPT
in order to allow a xenU domain to talk with another computer on my
network.

In order to allow two xenU domain on the same machine to talk i'm also
obliged to  add thoses two more rules :

iptables ${iptcmd} FORWARD  -i ${vif} -J ACCEPT 
iptables ${iptcmd} FORWARD  -o ${vif} -J ACCEPT 
I'm obliged to add this because i don't specify an ip adress in xenU
configuration file so it skip the piece of code you put upper.

You may ask why i don't specify the ip in the xenU domain file.
There is in my point of viex two case:
* XenU has a dhcp adress and so if the interface get its adress from DHCP
specifing is useless ...

* XenU has a fixed adress, well for the moment i prefer to specify the
address also in the interface file (in debian) so specifing it this file +
xenU is redondant and may introduce errors when i'll change the address.



> I'd be interested to hear how it works for you. In particular,
> you might need to make the rules more lenient to allow some DHCP
> servers to work.
>
> Ian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.