 Home |
Products |
Support |
Community |
News |
xen-users
[Xen-users] ip antispoof in Xen 3.4.2
| To: | xen-users@xxxxxxxxxxxxxxxxxxx |
|---|---|
| Subject: | [Xen-users] ip antispoof in Xen 3.4.2 |
| From: | KC LO <kclo2000@xxxxxxxxx> |
| Date: | Thu, 24 Jun 2010 03:49:02 +0800 |
| Delivery-date: | Wed, 23 Jun 2010 12:50:33 -0700 |
| Dkim-signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=eGIgmxXZf2cbYTHd3gAIJo+3r7Kk9Z/1q0PfDJ58hHg=; b=Bko1EhQUYYbU3SJBRY1AHlWlK1l6x+qiE3H4lWj1kPKqNSi8HlouorPssFgGP39gvG mXbhJVb/DyMobix0byE3XigzvSvipT7Xuz4q/8VFMNmDxcKOnrSf+unfD0tH50FLFuwO ScfoEikML7p58WNtMw26ieNFgup86ocMr4VlA= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=N3FyBcPidrjcW/ydv9lbv4WlnjTGQdSyirBBehi5la1VfVOGaPDlMgDSW9NP/Ah23L LX8rGwW7m8e9MJrrYkD6BvNxwLLHTOABYYQHaCsdNay1WI3FokMLdWwO5eQNnq6WqM5w alSWAX2WBwckcZNRdmdhVSNerD99YFUwmFdzc= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| List-help: | <mailto:xen-users-request@lists.xensource.com?subject=help> |
| List-id: | Xen user discussion <xen-users.lists.xensource.com> |
| List-post: | <mailto:xen-users@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe> |
| Sender: | xen-users-bounces@xxxxxxxxxxxxxxxxxxx |
|
Hi all,
I am testing on the IP address antispoof function in Xen.
Finally, I make it working on Xen3.0 on CentOS5.4. This is the original version come with CenOS.
What I need to do is : -
1) For DomU config, add vif = [ "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow forwarding to use iptables.
I observed that when I start a new domain with the ip defined in vif, it will add an iptables rule under Forward section automatically. This make IP anti-spoof working.
However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not working. I found out that the iptables rule under network-bridge has changed
For anti-spoof sectionin of network-bridge script of xen3.4.2, it has removed
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT".
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge. antispoofing () { iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT } Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge. antispoofing () { iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT } Any reason for Xen3.4.2 to remove this filtering rule? Is it safe that I add this rule to Xen3.4.2 in order to make anti-spoof working?
_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xen-users] xend not starting / Xen unstable 4.1 - pv_ops 2.6.32.15, yingbin wang |
|---|---|
| Next by Date: | [Xen-users] Any way to delay a domU reboot?, Nick Couchman |
| Previous by Thread: | [Xen-users] ConVirt Enterprise 2.0 Beta underway., jd |
| Next by Thread: | Re: [Xen-users] ip antispoof in Xen 3.4.2, Felix Kuperjans |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
