oldpatricka/Why Nimbus uses ebtables

## Why Nimbus uses ebtables
#From http://www.nimbusproject.org/doc/2.5/DHCP-TP1.2.2-draft2.pdf


Xen is integrated heavily with Linux for dom0 operations and has some hooks for adding
and removing iptables rules upon VM creation/destruction.  Broadcast packets coming
from a guest virtual interface (we will use vif1.0 in this example) are by default copied to
the whole LAN.  To avoid this situation, we investigated using iptables but found that
ebtables offers the most solid solution.
ebtables is a standard Linux package and the kernel support for it is in a default Xen
installation.  As with ISC DHCP, installing the userspace tools (/sbin/ebtables) is a one
line command to the package management system.
To avoid copying the DHCP request to the LAN (or to any other local VMs), we
intercept the packet with ebtables before the bridging decision.  Any DHCP request is
directed to the correct dom0 interface (see note below on advanced configurations).
Further, because it is already adding ebtables rules, it adds two simple rules for spoofing
protection, making it impossible for a NIC to use a different MAC or IP address than
assigned.
The inspection flows like so:
1. Is the packet coming from a workspace virtual interface?
2. If not, proceed without further processing.
3. If so, is the MAC address incorrect?  Drop the packet.
4. Is this is a DHCP packet?
5. If so, allow it to be bridged only to the appropriate interface for the bridge that it
is on. (see note below on advanced configurations). No other interface on the
bridge will see the broadcast packet.
6. If not a DHCP packet, it must have the correct source IP address, otherwise the
packet is dropped.
	#From http://www.nimbusproject.org/doc/2.5/DHCP-TP1.2.2-draft2.pdf


	Xen is integrated heavily with Linux for dom0 operations and has some hooks for adding
	and removing iptables rules upon VM creation/destruction. Broadcast packets coming
	from a guest virtual interface (we will use vif1.0 in this example) are by default copied to
	the whole LAN. To avoid this situation, we investigated using iptables but found that
	ebtables offers the most solid solution.
	ebtables is a standard Linux package and the kernel support for it is in a default Xen
	installation. As with ISC DHCP, installing the userspace tools (/sbin/ebtables) is a one
	line command to the package management system.
	To avoid copying the DHCP request to the LAN (or to any other local VMs), we
	intercept the packet with ebtables before the bridging decision. Any DHCP request is
	directed to the correct dom0 interface (see note below on advanced configurations).
	Further, because it is already adding ebtables rules, it adds two simple rules for spoofing
	protection, making it impossible for a NIC to use a different MAC or IP address than
	assigned.
	The inspection flows like so:
	1. Is the packet coming from a workspace virtual interface?
	2. If not, proceed without further processing.
	3. If so, is the MAC address incorrect? Drop the packet.
	4. Is this is a DHCP packet?
	5. If so, allow it to be bridged only to the appropriate interface for the bridge that it
	is on. (see note below on advanced configurations). No other interface on the
	bridge will see the broadcast packet.
	6. If not a DHCP packet, it must have the correct source IP address, otherwise the
	packet is dropped.