Hi all,
I am testing on the IP address antispoof function in Xen.
Finally, I make it working on Xen3.0 on CentOS5.4. This is the
original version come with CenOS.
What I need to do is : -
1) For DomU config, add vif = [
"ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
2) Under /etc/xen/xend-config.sxp, I need to append
antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to
allow forwarding to use iptables.
I observed that when I start a new domain with the ip defined in
vif, it will add an iptables rule under Forward section automatically.
This make IP anti-spoof working.
However, when I upgrade Xen3 to Xen 3.4.2, the above functions
is not working. I found out that the iptables rule under
network-bridge has changed
For anti-spoof sectionin of network-bridge script of xen3.4.2,
it has removed
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j
ACCEPT".
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
}
Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}
Any reason for Xen3.4.2 to remove this filtering rule? Is it
safe that I add this rule to Xen3.4.2 in order to make anti-spoof
working?
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
Home