Xen 		  
Home About Xen.org Xen Xen Summit Wiki Mailing List Bug Tracker Xen Downloads
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xense-devel] Re: cannot filter on vif* interfaces using iptables?

from [Reiner Sailer] [Permanent Link][Original]
To: Sanjam Garg <sanjamg@xxxxxxxxx>
Subject: [Xense-devel] Re: cannot filter on vif* interfaces using iptables?
From: Reiner Sailer <sailer@xxxxxxxxxx>
Date: Tue, 21 Nov 2006 09:39:04 -0500
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 21 Nov 2006 06:39:46 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
Importance: High
In-reply-to: <20061121065531.61399.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

Sanjam Garg <sanjamg@xxxxxxxxx> wrote on 11/21/2006 01:55:31 AM:

> Hi

Good morning,

> I read the post on not being able to use vif* for iptables.

Which one?

> Actually
> I am writing a kernel module to filter packets conning from from
> domU through these vif interfaces.But the module does not seam to
> filter the packets.
> I am using xen3.0.3 and kernel 2.6.19.29 and bridged network settings.

I assume
a) you are using 2.6.16.29 :-)
b) you run iptables in domain0
c) you have networking setup in bridging mode in domain 0

> I have .config setting for my kernel as
> CONFIG_BRIDGE_NETFILTER=y
> and CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
Did you change the Xen kernel default settings in any way?

> Any ideas?

I sent a dom0 networking scripts extension for domain 0 to this mailing list a while ago (http://lists.xensource.com/archives/html/xense-devel/2006-08/msg00003.html). It sets up iptables filters between vifs depending on the security labels of the domains to which the vifs belong. I did not run into any problems at that time when filtering bridged packets with the standard Linux kernel configuration in Xen.

Reiner
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xense-devel] Re: cannot filter on vif* interfaces using iptables?, Reiner Sailer <=
Previous by Date:  [Xen-API] RFC: Support for secruity in Xen-API, Stefan Berger
Next by Date:  [Xense-devel] How to block ping?, MANU SHANTHARAM
Previous by Thread:  [Xen-API] RFC: Support for secruity in Xen-API, Stefan Berger
Next by Thread:  [Xense-devel] How to block ping?, MANU SHANTHARAM
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , XenSource, Inc. All rights reserved. Note: the xen.org trademark policy
is changing. For information please email legalxen.org, Legal and Privacy