WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] ebtables tying mac to ip problem

from [Rafał Kupka] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] ebtables tying mac to ip problem
From: Rafał Kupka <rkupka+Listy.Xen@xxxxxxxxxxxxx>
Date: Fri, 3 Apr 2009 11:30:09 +0200
Delivery-date: Fri, 03 Apr 2009 02:30:52 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <49D26363.2050307@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Mail-followup-to: xen-users@xxxxxxxxxxxxxxxxxxx
References: <49D26363.2050307@xxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17) 
On Tue, Mar 31, 2009 at 07:39:31PM +0100, David Markey wrote:
Hi,

> I'm trying to tie mac addresses to IP addresses to stop ip and mac
> spoofing on my xen host running debian5.0 amd64. I've been trying to
> follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600
> <http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600>

That's based on quite non-standard Xen network setup:
- dom0 as a router,
  two interfaces eth0 (outside) and xen-br0 (private network) for Xen
  domUs
- domU during startup joins xen-br0
- dom0 do NAT, firewalling and finally forwards domUs traffic by eth0
  connection to Internet

My old email in URL above lacks such information, sorry.

> The DomU's network gets blocked both inward and outward.

I think that there is yet another problem with dom0 connectivity. Bridge
eth0 in your setup is shared by Dom0 interface and DomUs vifs?

> I've patched my vif-bridge with the instructions on that page any they
> seem to be applied correctly.
> 
> The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with
> peth0 as the physical interface.

Thats the difference that matters -- ebtables rules blocks dom0 arp, and
any traffic from peth0.
 
> There are the commands I issued at the start

Please try to extend that initial rules by permitting traffic from
peth0. Untested, but should help.

> Paris:~# /sbin/ebtables -N eth0
> Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0"
> --log-ip --log-arp -j DROP

/sbin/ebtables -A INPUT --logical-in peth0 -j ACCEPT

> Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0

/sbin/ebtables -A FORWARD --logical-in peth0 -j ACCEPT

> Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0
> Paris:~# /sbin/ebtables -P INPUT DROP
> Paris:~# /sbin/ebtables -P FORWARD DROP

> Log:
> 
> [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01
> MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800,
> OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01  ARP IP SRC=10.0.0.6 ARP MAC
> DST=00:16:3e:0c:8f:80  ARP IP DST=10.0.0.254

Packet from interface peth0 (IN=peth0), there was no rules for that
interface before.

Kupson
-- 
Great software without the knowledge to run it is pretty useless.
(Linux Gazette #1)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Linux PV Drivers - VBD device not loading - Cannot get Major 3/22 for ide, Fajar A. Nugraha
Next by Date:  [Xen-users] Virt-install at Xen 3.3.0 CentOS 5.2 Dom0 (port via http://gitco.de/repos/xen3.3.0), Boris Derzhavets
Previous by Thread:  [Xen-users] How to get rid of IO-Bottleneck?, Fabian Zimmermann
Next by Thread:  Re: [Xen-users] ebtables tying mac to ip problem, David
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy