[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Xen-users] issue with iptables antispoofing rules in xen4.8 generetab by vif-bridge and vif-common.sh
Hi all
I filed this issue with the Debian user-list as well but as I think it is not Debian related I file it here as well.
I have issues with the on domU startup automatically generated
antispoofing rules by
/etc/xen/scripts/vif-bridge and
/etc/xen/scripts/vif-common.sh
Both are part of the Debian xen-utils-common package
(4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 installed on Debian 9.4).
A domU test01 has two virtual interfaces - vif-test01-INT and
vif-test01-TEST, both are connected to separate bridges named brINT and
brTEST. The brINT is just an internal bridge without connectivity to an
outside network to just connect all domUs and the dom0. The IP
addressfor the vif-test01-INT interface is 192.168.240.68.
The automatically generated rules per domU are:
1 ACCEPT all -- anywhere anywhere
PHYSDEV match --physdev-out vif-test01-INT --physdev-is-bridged
2 ACCEPT udp -- anywhere anywhere
PHYSDEV match --physdev-in vif-test01-INT --physdev-is-bridged udp
spt:bootpc dpt:bootps
3 ACCEPT all -- anywhere anywhere
PHYSDEV match --physdev-out vif-test01-INT --physdev-is-bridged
4 ACCEPT all -- 192.168.240.68 anywhere
PHYSDEV match --physdev-in vif-test01-INT --physdev-is-bridged
5 ACCEPT all -- anywhere anywhere
PHYSDEV match --physdev-out vif-test01-TEST --physdev-is-bridged
6 ACCEPT udp -- anywhere anywhere
PHYSDEV match --physdev-in vif-test01-TEST --physdev-is-bridged udp
spt:bootpc dpt:bootps
7 ACCEPT all -- anywhere anywhere
PHYSDEV match --physdev-out vif-test01-TEST --physdev-is-bridged
8 ACCEPT all -- test01 anywhere
PHYSDEV match --physdev-in vif-test01-TEST --physdev-is-bridged
...
33 REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable
>From what I see is that the rules 1/3 and 5/7 are doubled.
The next issue is that antispoofing rules just don't work. If I change
the ip adress of the vif-test01-INT interface to something like
192.168.240.168 IP packets between test01 and other domUs are still
forwarded.
If I manually change the iptables rules to something like (in this
example just for the brINT connected interface):
-A FORWARD -m physdev --physdev-is-bridged --physdev-in vif-test01-INT
-p all ! -s 192.168.240.68 -j DROP
-A FORWARD -m physdev --physdev-is-bridged --physdev-out vif-test01-INT
-p all ! -d 192.168.240.68 -j DROP
-A FORWARD -m physdev --physdev-is-bridged --physdev-in vif-test01-INT
-p all -j ACCEPT
-A FORWARD -m physdev --physdev-is-bridged --physdev-out vif-test01-INT
-p all -j ACCEPT
...
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
then antispoofing works and IP packets with IP addresses different then
192.168.240.68 get dropped.
Can somebody confirm this is an issue? Or do I just not understand how
the antispoofing rules work on a virtual bridge?
Is there a way to diable generation of antispoofing rules automatically
on domU startup? I could configure a different vif.default.script in
xl.conf and write a wrapper script, but it might be easier to just
disable it and load iptables rules manually.
|
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-users
|
