On 23 Dec 2009, at 3:41pm, Matt wrote:
> Could you please give me a little more info on what you mean by 'some manual
> manipulation of the properties of the vnic used by a guest'? - in the guest
> config, scripted in a vif script? Or maybe a small example?
There's no integration into the xVM tools currently, so you can either modify
the scripts yourself or do things outside the scripts.
You should note that I haven't tried any of this...
Before modifying the scripts, try enabling link protection manually. Something
like:
- boot the domain,
- note the number of the domain (xm list) - let's assume that it's 237 in this
example,
- apply link protection to the link belonging to the guest:
dladm set-linkprop \
-p protection=mac-nospoof,restricted xvm237_0
The definition of 'mac-nospoof' and 'restricted' are documented in the ARC
materials
(http://arc.opensolaris.org/caselog/PSARC/2009/436/final.materials/link_protect.txt).
From the guest, now try sending packets which would violate the policy and
check whether they appear on the wire.
Using 'ip-nospoof' is obviously a little more complicated, as you must specify
the acceptable set of IP addresses.
If this all works then I'd try updating the /usr/lib/xen/scripts/vif-vnic
script to apply the relevant restrictions whenever a VNIC is created for a
guest.
_______________________________________________
xen-discuss mailing list
[email protected]
