On Tue, Dec 29, 2009 at 7:24 PM, David Edmondson <[email protected]> wrote:
> > On 23 Dec 2009, at 3:41pm, Matt wrote: > > Could you please give me a little more info on what you mean by 'some > manual manipulation of the properties of the vnic used by a guest'? - in the > guest config, scripted in a vif script? Or maybe a small example? > > There's no integration into the xVM tools currently, so you can either > modify the scripts yourself or do things outside the scripts. > > You should note that I haven't tried any of this... > > Before modifying the scripts, try enabling link protection manually. > Something like: > - boot the domain, > - note the number of the domain (xm list) - let's assume that it's 237 in > this example, > - apply link protection to the link belonging to the guest: > dladm set-linkprop \ > -p protection=mac-nospoof,restricted xvm237_0 > Note that dladm will give out a misleading error in this case: dladm: warning: invalid link property 'protection' it's because xvm vnics are created as temporary vnics (created with -t), so 'set-linkprop' or 'reset-linkprop' should also apply "-t" here. -Siwei > The definition of 'mac-nospoof' and 'restricted' are documented in the ARC > materials ( > http://arc.opensolaris.org/caselog/PSARC/2009/436/final.materials/link_protect.txt). > From the guest, now try sending packets which would violate the policy and > check whether they appear on the wire. > > Using 'ip-nospoof' is obviously a little more complicated, as you must > specify the acceptable set of IP addresses. > > If this all works then I'd try updating the /usr/lib/xen/scripts/vif-vnic > script to apply the relevant restrictions whenever a VNIC is created for a > guest. > > _______________________________________________ > xen-discuss mailing list > [email protected] >
_______________________________________________ xen-discuss mailing list [email protected]
