On Wed, 22 Mar 2006, Jason Lunz wrote:
[EMAIL PROTECTED] said:
we're evaluating different options for these virtual machines. for the
vmware option there is a claim that the host doesn't need to have an IP
address on a particular nic to allow a virtual machine to access things on
that nic. if the host doesn't try to process the packet, but instead just
hands it to the uml then odds are that any network based kernel
vunerabilities will happen in the uml as opposed to the host system
it is also simpler to explain to management :-)
does the uml pcap network backend still work? that's more or less what
you're asking for.
the documentation seems to say that pcap is read-only, in this case the
uml clients need full read-write access to the network.
What Paolo suggests (bridging tapN and ethN together in brN) is mostly
the same thing. You don't have to assign any IP on the host, just set up
the bridge. The host networking code (specifically, the bridge code)
does see the traffic in that case, but the exposure is limited to
bridging itself. It doesn't go into the IP code or any other protocol's
unless you add those protocols to the bridge.
hmm, do the host eth0 and tap0 need to have an IP address? or could I get
away with just the one IP address defined in the uml?
no, and yes.
The bad side is that each UML sees every packet the host sees.
this isn't a problem, the host will not be doing anything at all on those
networks except providing access for the uml to access it (the host will
have another interface that it uses for administrative access)
if your goal is for the uml to see *every* packet, bridging doesn't do
what you want. linux bridging acts as a switch, and it won't forward
packets through to the uml if it knows that the dst mac is on the
physical (ethN) side of the bridge.
otoh, if you just want the uml to see the traffic associated with its
mac, bridging should work fine.
the idea is that I'm picking up a physical box and replacing it with a uml
instance. I would like for the host of these uml's to be as minimal as
possible to reduce any vunerabilities that are introduces by connecting
this host across different security environments.
David Lang
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
User-mode-linux-user mailing list
User-mode-linux-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user
