Back with UML you needed to use ebtables to filter traffic on each servers
TAP interface so that one domain could not sniff another domains traffic.
This doesnt look to need to be done on Xen? Whats difference, looks like
the same setup, TAP interfaces connected to a bridge.
[root@devhost1 user]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:30:48:34:BA:0C
inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.xxx
Mask:255.255.255.248
inet6 addr: fe80::230:48ff:fe34:ba0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3906400 errors:0 dropped:0 overruns:0 frame:0
TX packets:4753927 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:412648167 (393.5 MiB) TX bytes:3398279305 (3.1 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4032 errors:0 dropped:0 overruns:0 frame:0
TX packets:4032 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3442133 (3.2 MiB) TX bytes:3442133 (3.2 MiB)
peth0 Link encap:Ethernet HWaddr 00:30:48:34:BA:0C
inet6 addr: fe80::230:48ff:fe34:ba0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:123910527 errors:0 dropped:0 overruns:0 frame:0
TX packets:153420761 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3628514209 (3.3 GiB) TX bytes:1567808703 (1.4 GiB)
Base address:0x2000 Memory:da000000-da020000
user1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:105854 errors:0 dropped:0 overruns:0 frame:0
TX packets:164869 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:8660760 (8.2 MiB) TX bytes:219635253 (209.4 MiB)
user2.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:116666 errors:0 dropped:0 overruns:0 frame:0
TX packets:196268 errors:0 dropped:8 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:7537771 (7.1 MiB) TX bytes:273547868 (260.8 MiB)
xenbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)
[root@devhost1 user]# brctl show
bridge name bridge id STP enabled interfaces
eth0 8000.00304834ba0c no user2.0
user1.0
peth0
xenbr0 8000.000000000000 no
~Shaun
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
> > Back with UML you needed to use ebtables to filter traffic on eachservers> TAP interface so that one domain could not sniff another domainstraffic.> This doesnt look to need to be done on Xen? Whats difference, lookslike> the same setup, TAP interfaces connected to a bridge. >A bridge acts like a switch, so unless someone is doing ARP spoofing or something, a DomU should only get packets with their own MAC address as the destination (and Multicast and Broadcast packets of course). You could add ebtables rules to make sure it can''t happen at all, but as a general rule it shouldn''t be necessary. James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users