WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces
From: Reiner Sailer <sailer@xxxxxxxxxx>
Date: Thu, 31 Aug 2006 00:52:38 -0400
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 30 Aug 2006 21:53:09 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
This patch adds an ACM hook into the network scripts (/etc/xen/scripts). It adds iptables rules that enforce mandatory access control on network packets exchanged between virtual interfaces. If ACM is active, this patch sets the default FORWARD policy in Dom0 to DROP and adds iptables ACCEPT rules between vifs that belong to domains that are permitted to share (determined by using the get_decision ACM hypervisor call). If ACM is not active, this patch is transparent to the operation of networking in Xen.

This topic was discussed here <http://lists.xensource.com/archives/html/xen-devel/2006-07/msg01005.html> as were the implications. For example, the recent suggestion to move packets directly between physical and virtual interfaces to avoid running through the bridge <http://lists.xensource.com/archives/html/xen-devel/2006-08/msg01583.html>, would, if implemented, bypass this access control unless those new mechanisms call the netfilter hooks that are called by the bridge.

Attached are examples for iptables rulesets in bridging, routing, nat-ing network setups. Also attached the patch.

Please note that many iptables rules shown below could be collapsed if we assumed that all domains are permitted to talk to Domain0, i.e., all vifX.Y can communicate to vif0.Y. In this case, we can just add two rules saying in/out traffic through vif0.Y is always ACCEPTed. This patch does currently not leverage this simplification because we anticipate that Domain0 will become less powerful than it is today.

Comments welcome.

Thanks
Reiner

The following show examples of routes related to running domains. The policy is setup so that domains 1,4, and 5 are permitted to communicate among each other and all domains can communicate with Domain0. ACM enforcement-related iptables rules are moved into the FORWARD chain; any antispoof rules go into the INPUT chain.

Example with 1 bridge and 5 domains:
==========================
[root@941e-4 ~]# ip
Chain FORWARD (policy DROP 13 packets, 4302 bytes)
pkts bytes target prot opt in out source destination 5329 445K ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in peth0 1593 272K ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-out peth0 2 1152 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif1.0 --physdev-out vif0.0 178 18153 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif0.0 --physdev-out vif1.0 2 1152 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif2.0 --physdev-out vif0.0 142 15519 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif0.0 --physdev-out vif2.0 2 1152 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif3.0 --physdev-out vif0.0 98 12646 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif0.0 --physdev-out vif3.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif4.0 --physdev-out vif0.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif0.0 --physdev-out vif4.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif4.0 --physdev-out vif1.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif1.0 --physdev-out vif4.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif5.0 --physdev-out vif0.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif0.0 --physdev-out vif5.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif5.0 --physdev-out vif1.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif1.0 --physdev-out vif5.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif5.0 --physdev-out vif4.0 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-in vif4.0 --physdev-out vif5.0

Chain INPUT (policy ACCEPT 3343 packets, 312K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1595 packets, 269K bytes)
pkts bytes target prot opt in out source destination
[root@941e-4 ~]# xm list --label
Name                              ID Mem(MiB) VCPUs State  Time(s)  Label
domain1                            1      164     1 -b----     6.5  Avis
domain4                            4      164     1 -b----     6.6  Avis
domain5                            5      164     1 -b----     6.5  Avis
domain3                            3      164     1 -b----     6.6  CocaCola
domain2                            2      164     1 -b----     6.4  Hertz
Domain-0 0 1948 4 r----- 218.4 SystemManagement


Example for Nat:
============
[root@941e-4 ~]# iptables -L -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
   0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere
   0     0 ACCEPT     all  --  any    eth0    anywhere             anywhere
   0     0 ACCEPT     all  --  vif4.0 vif1.0  anywhere             anywhere
   0     0 ACCEPT     all  --  vif1.0 vif4.0  anywhere             anywhere
   0     0 ACCEPT     all  --  vif5.0 vif1.0  anywhere             anywhere
   0     0 ACCEPT     all  --  vif1.0 vif5.0  anywhere             anywhere
   0     0 ACCEPT     all  --  vif5.0 vif4.0  anywhere             anywhere
   0     0 ACCEPT     all  --  vif4.0 vif5.0  anywhere             anywhere

Chain INPUT (policy ACCEPT 37165 packets, 4945K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 11709 packets, 7277K bytes)
pkts bytes target prot opt in out source destination
[root@941e-4 ~]# xm list --label
Name                              ID Mem(MiB) VCPUs State  Time(s)  Label
domain1                            1      164     1 -b----     0.3  Avis
domain4                            4      164     1 -b----     0.3  Avis
domain5                            5      164     1 -b----     0.3  Avis
domain3                            3      164     1 -b----     0.3  CocaCola
domain2                            2      164     1 -b----     0.3  Hertz
Domain-0 0 1948 4 r----- 319.9 SystemManagement


Example for Route (w/antispoof)
=======================
[root@941e-4 route]# ip
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
   0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere
   0     0 ACCEPT     all  --  any    eth0    anywhere             anywhere
   0     0 ACCEPT     all  --  vif2.0 vif1.0  anywhere             anywhere
   0     0 ACCEPT     all  --  vif1.0 vif2.0  anywhere             anywhere
Chain INPUT (policy DROP 48 packets, 2880 bytes)
pkts bytes target prot opt in out source destination 17099 2070K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- vif1.0 * 9.2.15.138 0.0.0.0/0 0 0 ACCEPT all -- vif2.0 * 9.2.15.142 0.0.0.0/0 0 0 ACCEPT all -- vif3.0 * 9.2.15.139 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6792 packets, 3717K bytes)
pkts bytes target prot opt in out source destination
[root@941e-4 route]# xm list --label
Name                              ID Mem(MiB) VCPUs State  Time(s)  Label
domain1                            1      164     1 -b----     6.3  Avis
domain4                            2      164     1 -b----     0.3  Avis
domain2                            3      164     1 -b----     0.3  Hertz
Domain-0 0 1948 4 r----- 236.2 SystemManagement

Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>


---
 tools/examples/Makefile       |    1 
 tools/examples/network-bridge |   11 +
 tools/examples/network-nat    |    2 
 tools/examples/network-route  |   40 ++++++
 tools/examples/vif-acm-hook   |  259 ++++++++++++++++++++++++++++++++++++++++++
 tools/examples/vif-bridge     |    2 
 tools/examples/vif-common.sh  |   12 +
 tools/examples/vif-nat        |    2 
 tools/examples/vif-route      |    2 
 9 files changed, 325 insertions(+), 6 deletions(-)

Index: xen-unstable.hg-shype/tools/examples/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/Makefile
+++ xen-unstable.hg-shype/tools/examples/Makefile
@@ -32,6 +32,7 @@ XEN_SCRIPTS += blktap
 XEN_SCRIPTS += vtpm vtpm-delete
 XEN_SCRIPTS += xen-hotplug-cleanup
 XEN_SCRIPTS += external-device-migrate
+XEN_SCRIPTS += vif-acm-hook
 XEN_SCRIPT_DATA = xen-script-common.sh locking.sh logging.sh
 XEN_SCRIPT_DATA += xen-hotplug-common.sh xen-network-common.sh vif-common.sh
 XEN_SCRIPT_DATA += block-common.sh vtpm-common.sh vtpm-hotplug-common.sh
Index: xen-unstable.hg-shype/tools/examples/network-bridge
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/network-bridge
+++ xen-unstable.hg-shype/tools/examples/network-bridge
@@ -229,8 +229,13 @@ using loopback.nloopbacks=<N> on the dom
        transfer_routes ${netdev} ${bridge}
     fi
 
-    if [ ${antispoof} = 'yes' ] ; then
-       antispoofing
+    if [ `/etc/xen/scripts/vif-acm-hook "acm_on?"` != "OFF" ] ; then
+        echo /etc/xen/scripts/vif-acm-hook "network-bridge-up" "$pdev" 
"${antispoof:-no}"
+        /etc/xen/scripts/vif-acm-hook "network-bridge-up" "$pdev" 
"${antispoof:-no}"
+    else
+        if [ ${antispoof} = 'yes' ] ; then
+            antispoofing
+        fi
     fi
 }
 
@@ -267,6 +272,8 @@ op_stop () {
        ip link set ${bridge} down
     fi
     brctl delbr ${bridge}
+
+    /etc/xen/scripts/vif-acm-hook "network-bridge-down" "$pdev" 
"${antispoof:-no}"
 }
 
 # adds $dev to $bridge but waits for $dev to be in running state first
Index: xen-unstable.hg-shype/tools/examples/network-nat
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/network-nat
+++ xen-unstable.hg-shype/tools/examples/network-nat
@@ -71,12 +71,14 @@ op_start() {
        echo 1 >/proc/sys/net/ipv4/ip_forward
        iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE
         [ "$dhcp" != 'no' ] && dhcp_start
+        /etc/xen/scripts/vif-acm-hook "network-nat-up" "$netdev" 
"${antispoof:-no}"
 }
 
 
 op_stop() {
         [ "$dhcp" != 'no' ] && dhcp_stop
        iptables -t nat -D POSTROUTING -o ${netdev} -j MASQUERADE
+       /etc/xen/scripts/vif-acm-hook "network-nat-down" "$netdev" 
"${antispoof:-no}"
 }
 
 
Index: xen-unstable.hg-shype/tools/examples/network-route
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/network-route
+++ xen-unstable.hg-shype/tools/examples/network-route
@@ -16,4 +16,42 @@
 #
 #============================================================================
 
-echo 1 >/proc/sys/net/ipv4/ip_forward
+
+dir=$(dirname "$0")
+. "$dir/xen-script-common.sh"
+. "$dir/xen-network-common.sh"
+
+findCommand "$@"
+evalVariables "$@"
+
+show_status() {
+    echo '============================================================'
+    ifconfig
+    echo ' '
+    ip route list
+    echo ' '
+    route -n
+    echo '============================================================'
+
+}
+
+case "$command" in
+    start)
+        echo 1 >/proc/sys/net/ipv4/ip_forward
+        /etc/xen/scripts/vif-acm-hook "network-route-up" "${netdev:-eth0}" 
"${antispoof:-yes}"
+        ;;
+
+    stop)
+        echo 0 >/proc/sys/net/ipv4/ip_forward
+        /etc/xen/scripts/vif-acm-hook "network-route-down" "${netdev:-eth0}" 
"${antispoof:-yes}"
+        ;;
+
+    status)
+        show_status
+       ;;
+
+    *)
+       echo "Unknown command: $command" >&2
+       echo 'Valid commands are: start, stop, status' >&2
+       exit 1
+esac
Index: xen-unstable.hg-shype/tools/examples/vif-acm-hook
===================================================================
--- /dev/null
+++ xen-unstable.hg-shype/tools/examples/vif-acm-hook
@@ -0,0 +1,259 @@
+#!/usr/bin/env python
+#  -*- mode: python; -*-
+#============================================================================
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of version 2.1 of the GNU Lesser General Public
+# License as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#============================================================================
+# Copyright (C) 2006 International Business Machines Corp.
+# Author: Reiner Sailer <sailer@xxxxxxxxxx>
+#============================================================================
+# Arguments:
+#
+#
+# 1 arg [1]commands  - "acm_on?"
+#
+# 3 arg [1]commands  - "network-nat-up"/"network-nat-down"
+#                      "network-bridge-up"/"network-brigde-down"
+#                      "network-route-up"/"network-route-down"
+#       [2]netdev    - usually "pethX" or "ethX"
+#       [3]antispoof - "yes/no"
+#
+# 4-5 arg
+#       [1]commands  - "online/offline" ,
+#       [2]vif       - "usually "ethX" or "vif0.X"
+#       [3]antispoof - "yes/no" ('yes' not supported yet everywhere!)
+#       [4]type      - "nat/bridge/route",
+#       [5]ip adrs   - list of static ip addresses (required for antispoof)
+##
+
+"""Set IP filters betwen virtual interfaces if ACM security is ON
+"""
+import sys, commands, string
+sys.path.insert(-1, '/usr/lib/python')
+sys.path.insert(-1, '/usr/lib64/python')
+from xen.util import security
+
+
+def do_command(c, ignore_error):
+    print c
+    (ret, output) = commands.getstatusoutput(c)
+    if ret and not ignore_error:
+        sys.exit(-1)
+    return output
+
+
+def vif2domid(vif):
+    tmp = string.split(vif, ".")[0]
+    return int(tmp[len("vif"):])
+
+
+def getOnlineVifs():
+    # create list of existing user domain vifX.Y
+    viflist = []
+    listcommand = "/sbin/ifconfig | /bin/grep \"Link encap\" | /bin/grep 
\"vif\""
+    output = do_command(listcommand, "Reading vif interfaces.")
+    if output == '':
+        return []
+    for line in string.split(output, "\n"):
+        upvif = string.split(line, " ")[0]
+        viflist.append(upvif)
+    return viflist
+
+
+##
+#
+# BRIDGING ACM IPTABLES SUPPORT
+#
+# antispoof: antispoof=yes -> DomU interfaces without pre-set IP cannot 
send/start
+#
+
+#default to DROP, allow in/out from/to peth (network)
+# -- Later REDIRECT external traffic to create secure labeled tunnel
+def network_bridge_up(netdev, antispoof):
+    print "netdev=%s, antispoof=%s" % (netdev, antispoof)
+    vifDom0="vif0." + netdev[4:]
+    #FORWARD becomes the MAC enforcement for domU traffic
+    do_command("/sbin/iptables -P FORWARD DROP", False)
+    do_command("/sbin/iptables -A FORWARD -m physdev --physdev-in %s   -j 
ACCEPT" % netdev, False)
+    do_command("/sbin/iptables -A FORWARD -m physdev --physdev-out %s  -j 
ACCEPT" % netdev, False)
+
+    #INPUT implements antispoof
+    if (antispoof != "no"):
+        do_command("/sbin/iptables -P INPUT DROP", False)
+        do_command("/sbin/iptables -A INPUT -m physdev --physdev-in %s  -j 
ACCEPT" % netdev, False)
+        do_command("/sbin/iptables -A INPUT -m physdev --physdev-in %s  -j 
ACCEPT" % vifDom0, False)
+    return
+
+
+def network_bridge_down(netdev, antispoof):
+    vifDom0="vif0." + netdev[4:]
+    # leave drop policy in case there are other bridges
+    do_command("/sbin/iptables -D FORWARD -m physdev --physdev-in %s  -j 
ACCEPT" % netdev, True)
+    do_command("/sbin/iptables -D FORWARD -m physdev --physdev-out %s -j 
ACCEPT" % netdev, True)
+
+    if (antispoof != "no"):
+        do_command("/sbin/iptables -D INPUT -m physdev --physdev-in %s  -j 
ACCEPT" % netdev, True)
+        do_command("/sbin/iptables -D INPUT -m physdev --physdev-in %s  -j 
ACCEPT" % vifDom0, True)
+    return
+
+
+####
+#
+# NAT IPTABLES SUPPORT
+#
+def network_nat_up(netdev, antispoof):
+    if antispoof == 'yes': #not supported
+        sys.exit(-1)
+    do_command("/sbin/iptables -P FORWARD DROP", False)
+    do_command("/sbin/iptables -A FORWARD -i %s -j ACCEPT" % netdev, False)
+    do_command("/sbin/iptables -A FORWARD -o %s -j ACCEPT" % netdev, False)
+    return
+
+
+def network_nat_down(netdev, antispoof):
+    if antispoof == 'yes': #not supported
+        sys.exit(-1)
+    do_command("/sbin/iptables -D FORWARD -i %s -j ACCEPT" % netdev, True)
+    do_command("/sbin/iptables -D FORWARD -o %s -j ACCEPT" % netdev, True)
+    return
+
+
+####
+#
+# ROUTING IPTABLES SUPPORT
+#
+def network_route_up(netdev, antispoof):
+    do_command("/sbin/iptables -P FORWARD DROP", False)
+    do_command("/sbin/iptables -A FORWARD -i %s -j ACCEPT" % netdev, False)
+    do_command("/sbin/iptables -A FORWARD -o %s -j ACCEPT" % netdev, False)
+
+    if (antispoof != "no"):
+        do_command("/sbin/iptables -P INPUT DROP", False)
+        do_command("/sbin/iptables -A INPUT -i %s  -j ACCEPT" % netdev, False)
+    return
+
+def network_route_down(netdev, antispoof):
+    do_command("/sbin/iptables -D FORWARD -i %s -j ACCEPT" % netdev, True)
+    do_command("/sbin/iptables -D FORWARD -o %s -j ACCEPT" % netdev, True)
+
+    if (antispoof != "no"):
+        do_command("/sbin/iptables -D INPUT -i %s -j ACCEPT" % netdev, True)
+    return
+
+##
+# maintain_mac_filters
+#
+#    Sets/unsets 'filter' between all existing vifs and 'newviw'
+#    depending on the hypervisor policy (security.get_decision)
+#
+def maintain_filters(mac_filter, as_filter, action, newvif, antispoof, ips, 
viflist):
+    if (action == "online"):
+        (cmd, ignore_error) = ("-A", False)
+    else:
+        (cmd, ignore_error) = ("-D", True)
+
+    print viflist
+
+    for vif in viflist:
+        if (vif == newvif):
+            continue
+        newvifid = vif2domid(newvif)
+        vifid = vif2domid(vif)
+        if (action == "online"):
+            #  only allow traffic to other vif interfaces if Xen/ACM permits 
this
+            if (security.get_decision(['domid', vifid], ['domid', newvifid]) 
== "PERMITTED"):
+                do_command(mac_filter % (cmd, newvif, vif), ignore_error)
+                do_command(mac_filter % (cmd, vif, newvif), ignore_error)
+        else:
+            # offline --> domains gone -> no decisions possible, just delete 
all possibly set related filters
+            do_command(mac_filter % (cmd, newvif, vif), ignore_error)
+            do_command(mac_filter % (cmd, vif, newvif), ignore_error)
+
+    #support antispoof only with static ip (s)
+    if (antispoof != "no"):
+        for ip in ips:
+             do_command(as_filter % (cmd, ip, newvif), ignore_error)
+    return
+
+
+def vifupdown(argv):
+    (command, newvif, antispoof, fwtype) = (argv[1], argv[2], argv[3], argv[4])
+    if len(argv) > 5:
+        ips = string.split(argv[5], " ")
+    else:
+        ips = []
+
+    if  (fwtype   == "bridge"):
+        mac_filter = "/sbin/iptables %s FORWARD -m physdev --physdev-in %s 
--physdev-out %s -j ACCEPT"
+        as_filter = "/sbin/iptables %s INPUT --source %s -m physdev 
--physdev-in %s -j ACCEPT"
+
+    elif (fwtype == "nat"):
+        mac_filter = "/sbin/iptables %s FORWARD -i %s -o %s -j ACCEPT"
+        as_filter = ""
+
+    elif (fwtype == "route"):
+        mac_filter = "/sbin/iptables %s FORWARD -i %s -o %s -j ACCEPT"
+        as_filter = "/sbin/iptables %s INPUT --source %s -i %s -j ACCEPT"
+
+    else:
+        sys.exit(-1)
+
+    maintain_filters(mac_filter, as_filter, command, newvif, antispoof, ips, 
getOnlineVifs())
+    return
+
+
+def main (argv):
+    if len(argv) < 2:
+        sys.exit(-1)
+
+    if argv[1] == 'acm_on?':
+        if security.on():
+            print 'ON'
+        else:
+            print 'OFF'
+        return
+
+    if not security.on():
+        # nothing to do
+        return
+
+    if len(argv) < 4:
+        sys.exit(-1)
+    # following hooks are activated once when the network is setup/shutdown
+    if   argv[1] == "network-bridge-up":
+        network_bridge_up(argv[2], argv[3])
+    elif argv[1] == "network-bridge-down":
+        network_bridge_down(argv[2], argv[3])
+    elif argv[1] == "network-route-up":
+        network_route_up(argv[2], argv[3])
+    elif argv[1] == "network-route-down":
+        network_route_down(argv[2], argv[3])
+    elif argv[1]   == "network-nat-up":
+        network_nat_up(argv[2], argv[3])
+    elif argv[1] == "network-nat-down":
+        network_nat_down(argv[2], argv[3])
+
+    # following hooks are activated whenever an interface goes online/offline
+    elif argv[1] in ["online", "offline"]:
+        if (len(argv) < 5) or (argv[4] not in ['nat', 'bridge', 'route']) or \
+           (argv[3] not in ['yes', 'no']):
+            sys.exit(-1)
+        vifupdown(argv)
+    else:
+        #illegal command
+        sys.exit(-1)
+    return
+
+
+if __name__ == '__main__':
+    main(sys.argv)
Index: xen-unstable.hg-shype/tools/examples/vif-bridge
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/vif-bridge
+++ xen-unstable.hg-shype/tools/examples/vif-bridge
@@ -58,7 +58,7 @@ case "$command" in
         ;;
 esac
 
-handle_iptable
+generic_handle_iptable "bridge"
 
 log debug "Successful vif-bridge $command for $vif, bridge $bridge."
 if [ "$command" == "online" ]
Index: xen-unstable.hg-shype/tools/examples/vif-common.sh
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/vif-common.sh
+++ xen-unstable.hg-shype/tools/examples/vif-common.sh
@@ -116,6 +116,18 @@ function handle_iptable()
   fi
 }
 
+function generic_handle_iptable()
+{
+  if [ $1 == "route" ] ; then
+      antispoof=${antispoof:-yes}
+  fi
+
+  if [ `/etc/xen/scripts/vif-acm-hook "acm_on?"` != "OFF" ] ; then
+      /etc/xen/scripts/vif-acm-hook "$command" "$vif" "${antispoof:-no}" 
"${1:-illegal}" "$ip"
+  else
+      handle_iptable
+  fi
+}
 
 ##
 # ip_of interface
Index: xen-unstable.hg-shype/tools/examples/vif-nat
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/vif-nat
+++ xen-unstable.hg-shype/tools/examples/vif-nat
@@ -149,7 +149,7 @@ case "$command" in
 esac
 
 
-handle_iptable
+generic_handle_iptable "nat"
 
 log debug "Successful vif-nat $command for $vif."
 if [ "$command" == "online" ]
Index: xen-unstable.hg-shype/tools/examples/vif-route
===================================================================
--- xen-unstable.hg-shype.orig/tools/examples/vif-route
+++ xen-unstable.hg-shype/tools/examples/vif-route
@@ -47,7 +47,7 @@ if [ "${ip}" ] ; then
     done 
 fi
 
-handle_iptable
+generic_handle_iptable "route"
 
 log debug "Successful vif-route $command for $vif."
 if [ "$command" == "online" ]
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
<Prev in Thread] Current Thread [Next in Thread>
  • [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces, Reiner Sailer <=