This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] vif-antispoof

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] vif-antispoof
From: Mats Engstrom <mats.engstrom@xxxxxxxxx>
Date: Tue, 1 Nov 2005 23:31:08 +0100
Delivery-date: Tue, 01 Nov 2005 22:28:19 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=aXO59g/9rtIkfY1KG6k29aj9I0S8JeINzEg19gEBbB+pDN8uFsZe4cNXSYnh6Y6/3QZVyliN3M9B55fvuKUtlnKsym7P+QCPL/OYCUCubajgIJwxyRv40KYsm2HnBHseJCV2CT5K0SoKUEQ1L+owf1nGIS2ac14lq31D0s4wEjA=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <436773AE.2000106@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <436773AE.2000106@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi Dirk,
I also had problems getting it to work when I tried it some  months ago.  As far as I can remember I had just the same symptoms as you.
In order to get have the iptables correctly setup by vif-bridge in antispoof-mode the kernel must have the pysdev option in the netfilter section enabled and/or loaded as a module.  When compiled into the kernel the line in the .config -file should look lite this: CONFIG_IP_NF_MATCH_PHYSDEV=y
After recompling and installing a new Dom0-kernel it worked just fine.

On 11/1/05, Dirk H. Schulz <dirk.schulz@xxxxxxxxxxxxx> wrote:
Hi folks,

I started testing the antispoof feature of xen stable (2.0.7). I am
stuck with it.

I have setup a standard bridged environment.

I understood it like this: in domU config I set up the virtual NIC like

   vif = [ 'mac=ae:00:00:78:78:78, ip= ' ]

Then I configure /etc/network/interface of this domU to show the same IP
address for eth0.

After restarting the physical machine with xend-config.sxp saying
   (vif-antispoof      yes)

the domU should still be able to reach everything like it did before.
But it does not. From domU I can ping the bridge it is connected to
(that is, eth0 of dom0), but I cannot ping any other host on the same
subnet the physical machine is on nor any host on the internet.

There is something I am overlooking, right?

Any hint or help would be greatly appreciated. I have googled and looked
in the docs, but found nothing.


Xen-users mailing list

Mats Engstrom, Nerdlabs Consulting , http://www.nerdlabs.se
Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>