|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Xen with 'Routing' scripts
Ian Pratt wrote: I think I might be able to achieve what I want with ebtables by brouting all outgoing traffic. So dom-0 is a router for outgoing traffic but a bridge for incoming traffic. I think I just have to enable ip_forwarding, but otherwise use the xen 'bridging' scripts.I guess we want to restrict the dom-U to IP packets with IP/MAC pairs that match previous ARP results. Can ebtables in dom-0 filter this accurately?Sure. If you don't know all the rules at domain creation time you'll probably need to cook up your own little daemon to add rules/ Well, ARP is broadcast and across all bridged networks. What if the dom-U did an ARP-bomb attack, for example. I don't know really. I guess you could rate limit ARP's with ebtables.Also, there will be more ARP'ing with bridging, since all the dom-U's will ARP independently (can we short-circuit ARP responses in dom-0?).Why would you want to? It's hardly high bandwidth. Anyway, if we're brouting outbound traffic, then we can use --arpreply <bogus-address> to short-circuit outbound ARP requests. They're no use anyway, if we're brouting all outbound traffic. Does this all sound plausible or maybe even sensible? Thanks for your help Roland _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |