[Xen-users] ip antispoof in Xen 3.4.2

[KC LO <kclo2000@xxxxxxxxx>]

Hi all,

 

I am testing on the IP address antispoof function in Xen.

Finally, I make it working on Xen3.0 on CentOS5.4.  This is the original version come with CenOS.

 

What I need to do is : -

1) For DomU config, add vif = [ "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]

2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to the end of the "network-script"

(network-script 'network-bridge antispoof=yes')

3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow forwarding to use iptables.

 

I observed that when I start a new domain with the ip defined in vif, it will add an iptables rule under Forward section automatically.  This make IP anti-spoof working.

 

However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not working.  I found out that the iptables rule under network-bridge has changed

 

For anti-spoof sectionin of network-bridge script of xen3.4.2, it has removed

 

"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT". 

 

Xen 3.0 anti-spoof section,

# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
    iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
}

Xen3.4.2 anti-spoof section

# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}

 

Any reason for Xen3.4.2 to remove this filtering rule?  Is it safe that I add this rule to Xen3.4.2 in order to make anti-spoof working?

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users