On Wed, 22 Mar 2006, Blaisorblade wrote:
On Wednesday 22 March 2006 18:58, David Lang wrote:
Ok, not that I have interfaces showing up inside uml (2.6.15.6 didn't
work, but 2.6.16 does) I have another question.
is it possible to dedicate physical network interfaces to particular uml
interfaces?
I'm not sure, but I think you're asking the wrong question. If your purpose is
security, the best answer is iptables, filtering based on -i (ingress
interface).
we're evaluating different options for these virtual machines. for the
vmware option there is a claim that the host doesn't need to have an IP
address on a particular nic to allow a virtual machine to access things on
that nic. if the host doesn't try to process the packet, but instead just
hands it to the uml then odds are that any network based kernel
vunerabilities will happen in the uml as opposed to the host system
it is also simpler to explain to management :-)
I was trying to find out if the same thing could be done with uml. it
sounds as if the answer is no, so I'll look at the bridging config you
give below.
The other possibility is bridging.
I intend to run a half dozen uml instances on a box with 8 physical
network interfaces, each one on seperate networks. I would prefer to have
routeing disabled on the host entirely (the networks are seperated for
security reasons and I need to make sure that the host box doesn't open up
a hole betwen them). The ideal situation would be to configure the first
uml instance to use the physical eth0 and all configuration then takes
place within the uml.
is this possible?
the closest that I'm seeing in the docs is to have the host configure the
IP's for each interface, and then bridge to the uml's. but this bridging
seems like it would significantly weaken the seperation of the different
networks.
It wouldn't mix together different networks, you bridge eth0 with tap0 on br0,
eth1 with tap1 on br1, and so on, and then probably you can disable packet
forwarding with
echo 0 > /proc/sys/net/ipv4/ip_forward
this should work (I'm not sure but bridges should work even with that
disabled).
Ok, I'll give it a try
hmm, do the host eth0 and tap0 need to have an IP address? or could I get
away with just the one IP address defined in the uml?
The bad side is that each UML sees every packet the host sees.
this isn't a problem, the host will not be doing anything at all on those
networks except providing access for the uml to access it (the host will
have another interface that it uses for administrative access)
David Lang
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
User-mode-linux-user mailing list
User-mode-linux-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user
