Xen 		  
Home About Xen.org Xen Xen Summit Wiki Mailing List Bug Tracker Xen Downloads
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] RFC: virtual network access control

from [Gerd Hoffmann] [Permanent Link][Original]
To: Reiner Sailer <sailer@xxxxxxxxxx>
Subject: Re: [Xen-devel] RFC: virtual network access control
From: Gerd Hoffmann <kraxel@xxxxxxx>
Date: Fri, 28 Jul 2006 17:13:07 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx, Bryan D Payne <bdpayne@xxxxxxxxxx>
Delivery-date: Fri, 28 Jul 2006 08:13:47 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OF2D45C46C.D2F566C3-ON852571B9.004CF5F9-852571B9.004E8C1D@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OF2D45C46C.D2F566C3-ON852571B9.004CF5F9-852571B9.004E8C1D@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (X11/20060527) 
Reiner Sailer wrote:
> We are interested in controlling access based on the security labels of
> sender and receiver domains, not based on IP or other traditional
> firewall packet attributes.
> 
> We see other problems as well: IPtables seems to not see any of the
> ethernet-bridged packets. If you wanted to use IPtables then you
> would need to replace the ethernet bridge with routing each packet.

You want CONFIG_BRIDGE_NETFILTER=y, this makes iptabes see bridged packets.

Additionally you need CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y, that allows
matching on the physical device name for bridged packets.  That way you
can filter by domain (because each domain has its own virtual bridge
port) instead of ip/mac address.

cheers,

  Gerd

-- 
Gerd Hoffmann <kraxel@xxxxxxx>
http://www.suse.de/~kraxel/julika-dora.jpeg

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] RFC: virtual network access control, Keir Fraser
Next by Date:  Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer
Previous by Thread:  Re: [Xen-devel] RFC: virtual network access control, Harry Butterworth
Next by Thread:  Re: [Xense-devel] Re: [Xen-devel] RFC: virtual network access control, Reiner Sailer
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , XenSource, Inc. All rights reserved. Note: the xen.org trademark policy
is changing. For information please email legalxen.org, Legal and Privacy