[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] A security Question

Thanks for the reply.

I also read using ebtable table rule . The extact lines were like this:

One of the challenges was that since packets from VMs enter iptables filter after passing "virbr0", information about the original
sending interface is lost. We have used ebtables to encode the information in packet:mark. This is done by patching Xen script which launches VMs. When a VM is launched, a patched Xen adds an ebtables rule which adds the information to every packet from the launched VM. 

I want to know what is the syntax of ebtable rule and where it is added ( script  and path of script))? and what information is encoded?

2. The Fl_Val captures network packets from a kernel using iptables in connection with libipq module (ip queue kernel module) and validates the source address of the traffic. 

What is the syntax of iptable rule to validate the IP and MAC. 
(As we can read the IP and MAC from packet header; how to fetch actual IP and MAC of packet; 
if xennstore is used for fetching actual IP and MAC, what would be its syntax?)

Fl_Val then decodes the information and is able to reliably determine a sending VM regardless of the packet content (it
may be spoofed).

I exactly do not know that what information is decoded?

On Sun, Jul 24, 2016 at 5:15 AM, Christian Fassina Costa <atros@xxxxxxxxx> wrote:
You can use ebtables and only allow traffic from the mac address and IP address on a interface. That's probably the easiest way to achieve what you are trying to do.

On Sat, Jul 23, 2016 at 4:57 AM, PREETI MISHRA <scholar.preeti@xxxxxxxxx> wrote:
Actually My exact problem is:

I want to perform a simple check at Dom0 whether a VM packet is IP spoofed or MAC spoofed? or everything is ok with it?
So could you please provide me the best possible way to do it using commands. 

*I can read the packet header values such as  read src IP and src MAC from it. I want to verify it from the information stored at Dom0. I don't know how i am going to fetch actual VM IP  or  VM MAC  address of a packet (coming from a VM) at Dom0. Usually, I read the information is stored corresponding to domain ID at the time when the VM is launched.

Xen-users mailing list

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.