WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Antispoof and HVM [SOLVED]

from [Andrey] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Antispoof and HVM [SOLVED]
From: Andrey <basketboy@xxxxx>
Date: Mon, 01 Mar 2010 00:58:28 +0300
Delivery-date: Sun, 28 Feb 2010 13:59:41 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4B8AD8FB.4030407@xxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4B8AD8FB.4030407@xxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.23 (X11/20090817)
Solved the problem. In hvm domU case iptables rule for corresponding tap interface should be added: 

 :INPUT ACCEPT [3126:359694]
 :FORWARD DROP [974:187815]
 :OUTPUT ACCEPT [973:266082]

 -A FORWARD -m physdev  --physdev-in peth1 -j ACCEPT
 -A FORWARD -m physdev  --physdev-in vif60.0 -j ACCEPT
 -A FORWARD -m physdev  --physdev-in tap60.0 -j ACCEPT

Andrey пишет:

Hello,

Does antispoof mechanism work in network-bridge with HVM domUs?
It seems no. There are the following iptables rules that were added after starting hvm domU with FreeBSD: 

:INPUT ACCEPT [3126:359694]
:FORWARD DROP [974:187815]
:OUTPUT ACCEPT [973:266082]

-A FORWARD -m physdev  --physdev-in peth1 -j ACCEPT
-A FORWARD -m physdev  --physdev-in vif60.0 -j ACCEPT
peth1 is the physical interface on domO which is connected to eth1 bridge, vif60.0 is domU interface. After starting hvm domU it is inacessible via network.
If I change default policy of FORWARD policy to accept everything is fine. With PV domUs current antispoof scheme works fine. 

Where is the problem?

With regards, Andrey

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Antispoof and HVM, Andrey
Next by Date:  [Xen-users] slow dom0 write operations with 2.6.32 pv-ops and Xen4.0.0-rc4, benco
Previous by Thread:  [Xen-users] Antispoof and HVM, Andrey
Next by Thread:  [Xen-users] slow dom0 write operations with 2.6.32 pv-ops and Xen4.0.0-rc4, benco
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy