Xen devel - Nov 2004 - vif-bridge question

Hi,

in /etc/xen/scripts/vif-bridge there is this snippet of code:

if [ ${ip} ] ; then

    # If we''ve been given a list of IP networks, allow pkts with these
src addrs.
    for addr in ${ip} ; do
        iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s
${addr} -j ACCEPT
    done


The ip list is a command line argument.  My question where is the domain
config file can I specify the IP''s that will be sent to vif-bridge?  I
tried:

ip="1.1.1.1/32 1.1.1.2/32" and other variations but I just get illegal
kernel boot option.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> in /etc/xen/scripts/vif-bridge there is this snippet of code:
> 
> if [ ${ip} ] ; then
> 
>     # If we''ve been given a list of IP networks, allow pkts with
these
> src addrs.
>     for addr in ${ip} ; do
>         iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s
> ${addr} -j ACCEPT
>     done
> 
> 
> The ip list is a command line argument.  My question where is the domain
> config file can I specify the IP''s that will be sent to
vif-bridge?  I
> tried:
> 
> ip="1.1.1.1/32 1.1.1.2/32" and other variations but I just get
illegal
> kernel boot option.
As I recall, it''s looking for a comma separated list of IP addrs
ip="1.2.3.4,2.3.4.5"

I don''t think the ''antispoof'' stuff in vif-bridge is
widely used
as most people that want to do firewalling roll their own.

I''d be interested to hear how it works for you. In particular,
you might need to make the rules more lenient to allow some DHCP
servers to work.

Ian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

On Mon, 2004-11-22 at 08:30 +0000, Ian Pratt wrote:
> As I recall, it''s looking for a comma separated list of IP addrs
> ip="1.2.3.4,2.3.4.5"
> 
Ok, that works for the config file, in that it boots... it doesn''t pass
any IP''s to vif-bridge though.  I added this to /etc/xen/scripts/vif-
bridge:

echo ${ip} >/root/ip.log

And the log is empty.  My question is HOW do I get the IP list passed to
vif-bridge?
> I don''t think the ''antispoof'' stuff in
vif-bridge is widely used
> as most people that want to do firewalling roll their own.
> 
I''m not trying to use antispoof, I just want to put my own rules in
vif-
bridge for each domain... the rules work fine, it''s just getting them
to
add/remove on boot of the domain via vif-bridge.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

On November 22, 9:30 am Ian Pratt <Ian.Pratt@cl.cam.ac.uk>
wrote:
>
> >  in /etc/xen/scripts/vif-bridge there is this snippet of code:
> >
> >  if [ ${ip} ] ; then
> >
> >      # If we''ve been given a list of IP networks, allow pkts
with these
> >  src addrs.
> >      for addr in ${ip} ; do
> >          iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s
> >  ${addr} -j ACCEPT
here vif will be something like vif34.0 how it is viewed by the briding
code ? (as an standard ethxx interface ?)

Because i''m wondering if this rule will be matched by netfilter.
> >      done
> >
> >
> >  The ip list is a command line argument.  My question where is the
> >  domain config file can I specify the IP''s that will be sent
to
> >  vif-bridge?  I tried:
> >
> >  ip="1.1.1.1/32 1.1.1.2/32" and other variations but I just
get illegal
> >  kernel boot option.
>
> As I recall, it''s looking for a comma separated list of IP addrs
> ip="1.2.3.4,2.3.4.5"
>
> I don''t think the ''antispoof'' stuff in
vif-bridge is widely used
> as most people that want to do firewalling roll their own.
>
I use antispoof but i''ve been obligied to modified the rule this way :
iptables ${iptcmd} FORWARD  -m physdev --physdev-out ${interface} -J ACCEPT
in order to allow a xenU domain to talk with another computer on my
network.

In order to allow two xenU domain on the same machine to talk i''m also
obliged to  add thoses two more rules :

iptables ${iptcmd} FORWARD  -i ${vif} -J ACCEPT 
iptables ${iptcmd} FORWARD  -o ${vif} -J ACCEPT 
I''m obliged to add this because i don''t specify an ip adress
in xenU
configuration file so it skip the piece of code you put upper.

You may ask why i don''t specify the ip in the xenU domain file.
There is in my point of viex two case:
* XenU has a dhcp adress and so if the interface get its adress from DHCP
specifing is useless ...

* XenU has a fixed adress, well for the moment i prefer to specify the
address also in the interface file (in debian) so specifing it this file +
xenU is redondant and may introduce errors when i''ll change the
address.


> I''d be interested to hear how it works for you. In particular,
> you might need to make the rules more lenient to allow some DHCP
> servers to work.
>
> Ian

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> On November 22, 9:30 am Ian Pratt <Ian.Pratt@cl.cam.ac.uk> wrote:
> >
> > >  in /etc/xen/scripts/vif-bridge there is this snippet of code:
> > >
> > >  if [ ${ip} ] ; then
> > >
> > >      # If we''ve been given a list of IP networks, allow
pkts with these
> > >  src addrs.
> > >      for addr in ${ip} ; do
> > >          iptables ${iptcmd} FORWARD -m physdev --physdev-in
${vif} -s
> > >  ${addr} -j ACCEPT
> here vif will be something like vif34.0 how it is viewed by the briding
> code ? (as an standard ethxx interface ?)
Yep, ''vif4.0'' appears as a normal ethernet interface as far as
the linux bridge code is concerned. You can think of the vif as
being connected by a crossover cable to the eth0 in the guest.
 
> I use antispoof but i''ve been obligied to modified the rule this
way :
> iptables ${iptcmd} FORWARD  -m physdev --physdev-out ${interface} -J ACCEPT
> in order to allow a xenU domain to talk with another computer on my
> network.
Does that make any sense? You''re not actually forcing packets
from the vif to have a particular src IP addr, which was the
intention of the antispoof rule.
 
You might as well run with antispoof off.
> In order to allow two xenU domain on the same machine to talk i''m
also
> obliged to  add thoses two more rules :
> 
> iptables ${iptcmd} FORWARD  -i ${vif} -J ACCEPT 
> iptables ${iptcmd} FORWARD  -o ${vif} -J ACCEPT 
> I''m obliged to add this because i don''t specify an ip
adress in xenU
> configuration file so it skip the piece of code you put upper.
> 
> You may ask why i don''t specify the ip in the xenU domain file.
> There is in my point of viex two case:
> * XenU has a dhcp adress and so if the interface get its adress from DHCP
> specifing is useless ...
Antispoof only make sense if you know what IP addr the guest
should be using. If you''re using a DHCP server handing out static
addresses that''s not a problem. If they''re truly dynamic then
you''re going to have to either parse the logs of the DHCP server
or snoop and process the DHCP reply. Grim.
> * XenU has a fixed adress, well for the moment i prefer to specify the
> address also in the interface file (in debian) so specifing it this file +
> xenU is redondant and may introduce errors when i''ll change the
address.
Sure, but that''s kind of the whole point of antispoof ;-)

Ian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel