[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] ip antispoof in Xen 3.4.2



Hi KC LO,

The rules should work with XEN 3.4.2 or even XEN 4.0.0 as well, as they rely on the bridging code in the kernel, which is not dependent on the XEN version.

I've got no idea why this behaviour has changed, but if the old behaviour is ok for you, you should be able to use those rules manually.

Regards,
Felix

P.S.: Those rules will not really deny IP / ARP spoofing at all...

Am 23.06.2010 21:49, schrieb KC LO:
Hi all,
 
I am testing on the IP address antispoof function in Xen.
Finally, I make it working on Xen3.0 on CentOS5.4.  This is the original version come with CenOS.
 
What I need to do is : -
1) For DomU config, add vif = [ "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow forwarding to use iptables.
 
I observed that when I start a new domain with the ip defined in vif, it will add an iptables rule under Forward section automatically.  This make IP anti-spoof working.
 
However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not working.  I found out that the iptables rule under network-bridge has changed
 
For anti-spoof sectionin of network-bridge script of xen3.4.2, it has removed
 
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT". 
 
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
    iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
}
Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}
 
Any reason for Xen3.4.2 to remove this filtering rule?  Is it safe that I add this rule to Xen3.4.2 in order to make anti-spoof working?
_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.