|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] RFC: virtual network access control
Reiner Sailer wrote: > We are interested in controlling access based on the security labels of > sender and receiver domains, not based on IP or other traditional > firewall packet attributes. > > We see other problems as well: IPtables seems to not see any of the > ethernet-bridged packets. If you wanted to use IPtables then you > would need to replace the ethernet bridge with routing each packet. You want CONFIG_BRIDGE_NETFILTER=y, this makes iptabes see bridged packets. Additionally you need CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y, that allows matching on the physical device name for bridged packets. That way you can filter by domain (because each domain has its own virtual bridge port) instead of ip/mac address. cheers, Gerd -- Gerd Hoffmann <kraxel@xxxxxxx> http://www.suse.de/~kraxel/julika-dora.jpeg _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |
