I’ve recently set up a new Xen Dom0 for use by a lot of people - many of whom I may not know very well. This being the case, I want to make sure that people behave and don’t take more than they are allocated. The big thing that I needed to solve was people just taking IP addresses out of the /24 assigned to the server.

Xen 3.4.1 had a working solution, however it seems to be completely broken in 4.x.

So, to solve this, I found that you can do some magic in iptables to give the same result.

1) Enable iptables on bridging interfaces in /etc/sysctl.conf

1

net.bridge.bridge-nf-call-iptables = 1

Then reload the file using sysctl -p

2) Write the rules in /etc/sysconfig/iptables:

1
2
3
4
5
6
7
8
9
10
11
12

*filter
:INPUT ACCEPT [26:2197]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [444:63703]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
-A FORWARD -s 192.168.1.11/32 -m mac --mac-source 11:22:33:44:55:67 -j ACCEPT
-A FORWARD -j DROP
COMMIT

3) When you set up the DomU config file in /etc/xen, alter your vif line to specify the MAC address:

1

vif             = [ 'mac=11:22:33:44:55:66,bridge=br0' ]

Now for the explanation. When a packet gets sent TO the DomU, the destination rule is hit and the packet flows TO the DomU. When the DomU replies, if its MAC address doesn’t match the one in –mac-source, then the packet is dropped.

The added benefit here is that as we DROP everything else, if the DomU tries to change IP or grab an IP not associated with a MAC, the packets will just get dropped.

Sadly, theres nothing you can do to stop people from using other entries you put on the list - however it does stop random resource grabs for IPs.

Ok, so I’ve neglected to put a lot of new up here lately…

1) kernel-xen packages have been updated to 2.6.32.50.

2) Started up a new photography site to try and get some great images to people. I really enjoy taking photos, but DAMN the equipment is expensive. I’m hoping to invest anything made on that site back into equipment to take more photos etc..

3) Damn, Christmas AND New Years has passed. It was the first real Christmas dinner with family and friends that I’d been a part of in my own home for waaay too long. Emma really pulled it all together and I couldn’t have done any of it without her.

Just a quick note to say I’ve updated Xen to 4.1.2 and my Dom0 linux kernel to 2.6.32.50. They should be automatically updated via yum. Remember to edit your grub.conf correctly after updating the kernel.

I’ve just posted some new kernel-xen RPMs based on 2.6.32.46.

Changelog:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

* Sat Sep 17 2011 Steven Haigh <netwiz@crc.id.au>
- Revert "xen/apic: Provide an 'apic_xen' to set the override the apic-&gt;[read|write] for all cases."
- Merged in 2.6.32.46 fixes:
      igb: Fix lack of flush after register write and before delay
      fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
      drm/ttm: fix ttm_bo_add_ttm(user) failure path
      x86, UV: Remove UV delay in starting slave cpus
      x86-32, vdso: On system call restart after SYSENTER, use int $0x80
      futex: Fix regression with read only mappings
      ALSA: ac97: Add HP Compaq dc5100 SFF(PT003AW) to Headphone Jack Sense whitelist
      ALSA: snd_usb_caiaq: track submitted output urbs
      befs: Validate length of long symbolic links.
      fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
      perf tools: do not look at ./config for configuration
      mm: fix wrong vmap address calculations with odd NR_CPUS values
      ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc
      hwmon: (ibmaem) add missing kfree
      atm: br2864: sent packets truncated in VC routed mode
      USB: Serial: Added device ID for Qualcomm Modem in Sagemcom's HiLo3G
      USB: usb-storage: unusual_devs entry for ARM V2M motherboard.
      USB: assign instead of equal in usbtmc.c
      USB: xhci: fix OS want to own HC

The guide can be found here.

For a long time now, I’ve been seeing the effect of technology on everyday life. This is a great video on how technology is causing a very disruptive shift in how we view the world, what it means, and how the next generation will live.

To me, this is one of the best reasons on earth that we should be building the NBN in Australia. The future of having fibre to everywhere will give us a mass of opportunity to live in the new economy in 20-30 years time.