[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] ip antispoof in Xen 3.4.2


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: KC LO <kclo2000@xxxxxxxxx>
  • Date: Thu, 24 Jun 2010 03:49:02 +0800
  • Delivery-date: Wed, 23 Jun 2010 12:50:33 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=N3FyBcPidrjcW/ydv9lbv4WlnjTGQdSyirBBehi5la1VfVOGaPDlMgDSW9NP/Ah23L LX8rGwW7m8e9MJrrYkD6BvNxwLLHTOABYYQHaCsdNay1WI3FokMLdWwO5eQNnq6WqM5w alSWAX2WBwckcZNRdmdhVSNerD99YFUwmFdzc=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi all,
 
I am testing on the IP address antispoof function in Xen.
Finally, I make it working on Xen3.0 on CentOS5.4.  This is the original version come with CenOS.
 
What I need to do is : -
1) For DomU config, add vif = [ "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow forwarding to use iptables.
 
I observed that when I start a new domain with the ip defined in vif, it will add an iptables rule under Forward section automatically.  This make IP anti-spoof working.
 
However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not working.  I found out that the iptables rule under network-bridge has changed
 
For anti-spoof sectionin of network-bridge script of xen3.4.2, it has removed
 
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT". 
 
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
    iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
}
Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}
 
Any reason for Xen3.4.2 to remove this filtering rule?  Is it safe that I add this rule to Xen3.4.2 in order to make anti-spoof working?
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.