Here''s my version of vif-route, which filters packets to/from domU.
This is my first time submitting a patch. Am I suppose to add
''[PATCH]'' to the subject line? Or is there a web-based patch
submission that I don''t know about?
diff -r 8d655336fd69 -r 2ce5a2fb29d8 tools/examples/vif-route
--- a/tools/examples/vif-route Tue Aug 23 21:15:18 2005
+++ b/tools/examples/vif-route Tue Aug 23 21:25:45 2005
@@ -19,12 +19,36 @@
# vif vif interface name (required).
# mac vif MAC address (required).
# ip list of IP networks for the vif, space-separated (optional).
+#
+# Additional Notes:
+#
+# This script requires the following Dom0 kernel options:
+#
+# CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_BRIDGE_NETFILTER=y
+# CONFIG_IP_NF_IPTABLES=y
+# CONFIG_IP_NF_MATCH_IPRANGE=y
+# CONFIG_IP_NF_MATCH_PHYSDEV=y
+# CONFIG_IP_NF_FILTER=y
+#
+# DomU configuration file must declare domain''s IP addresses via
vif.
+#
+# Examples:
+# vif = [ ''ip=192.168.0.16, vif=vif1.0'' ]
+# vif = [ ''ip=192.168.0.16 192.168.0.17'' ] # multiple
IP''s
+# vif = [ ''ip=192.168.0.16/31'' ] # multiple IP''s
using netmask
+#
#===========================================================================
# Exit if anything goes wrong
set -e
echo "vif-route $*"
+
+# Network device connected to the Internet
+wan_dev=''eth0''
+echo 1 >/proc/sys/net/ipv4/conf/${wan_dev}/proxy_arp
# Operation name.
OP=$1
@@ -41,12 +65,12 @@
# Optional parameters. Set defaults.
ip=${ip:-''''} # default to null (do nothing)
-main_ip=`ifconfig eth0 | grep "inet addr:" | sed -e
''s/.*inet addr:\(\w\w*\.\w\w*\.\w\w*\.\w\w*\).*/\1/''`
+main_ip=`ifconfig ${wan_dev} | grep "inet addr:" | sed -e
''s/.*inet addr:\(\w\w*\.\w\w*\.\w\w*\.\w\w*\).*/\1/''`
# Are we going up or down?
case $OP in
up)
- ifconfig ${vif} 169.254.1.0 netmask 255.255.255.255 up
+ ifconfig ${vif} 10.255.255.1 netmask 255.255.255.255 up
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
iptcmd=''-A''
ipcmd=''a''
@@ -63,14 +87,16 @@
;;
esac
-if [ ${ip} ] ; then
+# Packet filtering
+vif_in="-m physdev --physdev-in ${vif}"
+if [ "${ip}" ] ; then
- # If we''ve been given a list of IP networks, allow pkts with these
src addrs.
- for addr in ${ip} ; do
- ip r ${ipcmd} ${addr} dev ${vif} src ${main_ip}
-# iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s ${addr} -j
ACCEPT
- done
+ # Forward only packets with source IP''s matching domain''s
IP''s
+ for addr in `echo ${ip}` ; do
+ ( ip r ${ipcmd} ${addr} dev ${vif} src ${main_ip} &>/dev/null )
+ iptables ${iptcmd} FORWARD ${vif_in} -s ${addr} -j ACCEPT
+ done
- # Always allow us to talk to a DHCP server anyhow.
-# iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -p udp --sport
68 --dport 67 -j ACCEPT
+ # Drop other packets
+ iptables ${iptcmd} FORWARD ${vif_in} -j DROP
fi
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel