[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] ip antispoof in Xen 3.4.2
Hi all,
I am testing on the IP address antispoof function in Xen.
Finally, I make it working on Xen3.0 on CentOS5.4. This is the original version come with CenOS.
What I need to do is : -
1) For DomU config, add vif = [ "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow forwarding to use iptables.
I observed that when I start a new domain with the ip defined in vif, it will add an iptables rule under Forward section automatically. This make IP anti-spoof working.
However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not working. I found out that the iptables rule under network-bridge has changed
For anti-spoof sectionin of network-bridge script of xen3.4.2, it has removed
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT".
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge. antispoofing () { iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT } Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge. antispoofing () { iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT } Any reason for Xen3.4.2 to remove this filtering rule? Is it safe that I add this rule to Xen3.4.2 in order to make anti-spoof working?
_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |