Xen 3.4.1 had a working solution, however it seems to be completely broken in 4.x.

So, to solve this, I found that you can do some magic in iptables to give the same result.

1) Enable iptables on bridging interfaces in /etc/sysctl.conf
net.bridge.bridge-nf-call-iptables = 1
Then reload the file using sysctl -p

2) Write the rules in /etc/sysconfig/iptables:
*filter
:INPUT ACCEPT [26:2197]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [444:63703]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
-A FORWARD -s 192.168.1.11/32 -m mac --mac-source 11:22:33:44:55:67 -j ACCEPT
-A FORWARD -j DROP
COMMIT

3) When you set up the DomU config file in /etc/xen, alter your vif line to specify the MAC address:
vif = [ 'mac=11:22:33:44:55:66,bridge=br0' ]

Now for the explanation. When a packet gets sent TO the DomU, the destination rule is hit and the packet flows TO the DomU. When the DomU replies, if its MAC address doesn’t match the one in –mac-source, then the packet is dropped.

The added benefit here is that as we DROP everything else, if the DomU tries to change IP or grab an IP not associated with a MAC, the packets will just get dropped.

Sadly, theres nothing you can do to stop people from using other entries you put on the list – however it does stop random resource grabs for IPs.

1) kernel-xen packages have been updated to 2.6.32.50.

2) Started up a new photography site to try and get some great images to people. I really enjoy taking photos, but DAMN the equipment is expensive. I’m hoping to invest anything made on that site back into equipment to take more photos etc..

3) Damn, Christmas AND New Years has passed. It was the first real Christmas dinner with family and friends that I’d been a part of in my own home for waaay too long. Emma really pulled it all together and I couldn’t have done any of it without her.

Changelog:

* Sat Sep 17 2011 Steven Haigh 
- Revert "xen/apic: Provide an 'apic_xen' to set the override the apic->[read|write] for all cases."
- Merged in 2.6.32.46 fixes:
      igb: Fix lack of flush after register write and before delay
      fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
      drm/ttm: fix ttm_bo_add_ttm(user) failure path
      x86, UV: Remove UV delay in starting slave cpus
      x86-32, vdso: On system call restart after SYSENTER, use int $0x80
      futex: Fix regression with read only mappings
      ALSA: ac97: Add HP Compaq dc5100 SFF(PT003AW) to Headphone Jack Sense whitelist
      ALSA: snd_usb_caiaq: track submitted output urbs
      befs: Validate length of long symbolic links.
      fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
      perf tools: do not look at ./config for configuration
      mm: fix wrong vmap address calculations with odd NR_CPUS values
      ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc
      hwmon: (ibmaem) add missing kfree
      atm: br2864: sent packets truncated in VC routed mode
      USB: Serial: Added device ID for Qualcomm Modem in Sagemcom's HiLo3G
      USB: usb-storage: unusual_devs entry for ARM V2M motherboard.
      USB: assign instead of equal in usbtmc.c
      USB: xhci: fix OS want to own HC

The guide can be found here.

To me, this is one of the best reasons on earth that we should be building the NBN in Australia. The future of having fibre to everywhere will give us a mass of opportunity to live in the new economy in 20-30 years time.

Xen changelog:

* Sun Aug 14 2011 Michael Young – 4.1.1-3
- untrusted guest controlling PCI[E] device can lock up host CPU [CVE-2011-3131]

kernel-xen changelog:

* Fri Aug 19 2011 Steven Haigh
! Note: USB-DVB still seems to be broken.
- commit ‘v2.6.32.45′:
- Linux 2.6.32.45
- powerpc: pseries: Fix kexec on machines with more than 4TB of RAM
- powerpc: Fix device tree claim code
- ALSA: snd-usb-caiaq: Fix keymap for RigKontrol3
- ALSA: timer – Fix Oops at closing slave timer
- net: Compute protocol sequence numbers and fragment IDs using MD5.
- crypto: Move md5_transform to lib/md5.c

Details on how to use these packages and set up a repository are available on the EL6 and Xen howto guide.

Changes:

* Sun Aug 14 2011 Steven Haigh 
- Disabled module creation for USB DVB tuners due to errors on compile. This
  will affect all DVB tuners using the dvb-usb module.
  I would assume most people who run this kernel won't use USB tuners on Dom0.
- Merged in 2.6.32.44

If you’re out there wondering what this whole Google Plus thing is about?

So, what are you waiting for? Oh right, an Invite. Here you go.

I’ve done a quick refresh to the Xen packages in my repo to remove an extra repository file from the package which could cause some issues with yum. Its a minor issue – so if you’ve already got 4.1.1-2 installed, just delete the file /etc/yum.repos.d/dom0-kernel.repo and you’ll be set.

Kernel Changelog:

* Sun Jul 31 2011 Steven Haigh
- Brought kernel config inline with stock EL6 kernels
- Fix: xen/blkback: don’t fail empty barrier requests
- Revert “xen/blkback: When writting barriers set the sector number to zero…”
- blktap: Fix reference to freed struct request.
- Merged in 2.6.32.43
- Fixed minor bug in post-install script modifying yum.conf to recognise
kernel-xen as a kernel package and allow multiple installs.
- Fixed bug not removing generated initramfs when removing kernel-xen pacakge

Xen Changelog:

* Wed Jul 20 2011 Michael Young – 4.1.1-2
- clean up patch to solve a problem with hvmloader compiled with gcc 4.6