Xen and Firewalling

Xen and Firewalling

[Sam Johnston]

Good evening all,

I would like to have a number of fairly autonomous domains on a xen
box and would like to give the admins the ability to maintain their
own firewalls. However netfilter's not compiled in to the domU
kernels:

# iptables -L -n
modprobe: Can't open dependencies file
/lib/modules/2.6.10-xenU/modules.dep (No such file or directory)
iptables v1.2.11: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Is there a reason for this? Is simply doing a make menuconfig inside
linux-2.6.10-xenU and setting the requisite options sufficient?
According to linux-2.6.10-xen-sparse/arch/xen/configs/xenU_defconfig
there are some modules already so it would follow that there's no
problem compiling netfilter as modules? That being the case, why
aren't they compiled by default ? I see that netfilter is indeed
included in the default dom0 config, and can understand why someone
would want to put some basic restrictions on the domains (eg to ensure
that they are using only allocated IPs, for accounting and to enforce
any other administrative policies), but it would certainly be more
flexible to allow each domain to maintain its own security policy.

For this paticular installation the preferred setup would be not
allowing anything but ssh from certain IPs to dom0, and then have each
of the domains taking care of itself - they would be, for all intents
and purposes, standalone machines.

Sam

Re: Xen and Firewalling

[Rik van Riel]

On Mon, 18 Apr 2005, Sam Johnston wrote:

> Is there a reason for this? Is simply doing a make menuconfig inside
> linux-2.6.10-xenU and setting the requisite options sufficient?

Yes, reconfiguring and recompiling is enough.

-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Re: Xen and Firewalling

[Sam Johnston]

Thanks Rik,

I've just worked out why my recompiling failed before - needed to
specify ARCH=xen ala:

make ARCH=xen menuconfig

It would be good to see netfilter included by default in domU kernels
in future releases, unless there's a reasonable reason not to. I see
it was just added to dom0 recently by iap10@labyrinth.cl.cam.ac.uk:

ChangeSet@1.1703, 2005-01-29 22:20:09+00:00, iap10@labyrinth.cl.cam.ac.uk
  Add iptables modules to the default xen0 kernel, and add example
configuration files for a NAT setup.

Sam

On 4/18/05, Rik van Riel <riel@redhat.com> wrote:
> On Mon, 18 Apr 2005, Sam Johnston wrote:
> 
> > Is there a reason for this? Is simply doing a make menuconfig inside
> > linux-2.6.10-xenU and setting the requisite options sufficient?
> 
> Yes, reconfiguring and recompiling is enough.
> 
> --
> "Debugging is twice as hard as writing the code in the first place.
> Therefore, if you write the code as cleverly as possible, you are,
> by definition, not smart enough to debug it." - Brian W. Kernighan
>

RE: Xen and Firewalling

[Ian Pratt]

> It would be good to see netfilter included by default in domU 
> kernels in future releases, unless there's a reasonable 
> reason not to. I see it was just added to dom0 recently by 
> iap10@labyrinth.cl.cam.ac.uk:
> 
> ChangeSet@1.1703, 2005-01-29 22:20:09+00:00, 
> iap10@labyrinth.cl.cam.ac.uk
>   Add iptables modules to the default xen0 kernel, and add 
> example configuration files for a NAT setup.

Just use the dom0 kernel. It's a little bigger because of the drivers,
but there's no reason not to use it in guest domains.

If you're using modules (as most distro kernels do) there's absoloutely
no reason not to have a xen0 and xenU kernel. The only reason we build
two kernels is because its convenient for developers to not have to
worry about installing modules whenever they recompile.

Ian