WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] ip antispoof in Xen 3.4.2

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] ip antispoof in Xen 3.4.2
From: Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jun 2010 23:10:25 +0200
Delivery-date: Wed, 23 Jun 2010 14:13:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <AANLkTillxCN_mDr3NgZljw_E79U208Yj44qGYhVBcvbM@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AANLkTillxCN_mDr3NgZljw_E79U208Yj44qGYhVBcvbM@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100613 Shredder/3.0.4
Hi KC LO,

The rules should work with XEN 3.4.2 or even XEN 4.0.0 as well, as they rely on the bridging code in the kernel, which is not dependent on the XEN version.

I've got no idea why this behaviour has changed, but if the old behaviour is ok for you, you should be able to use those rules manually.

Regards,
Felix

P.S.: Those rules will not really deny IP / ARP spoofing at all...

Am 23.06.2010 21:49, schrieb KC LO:
Hi all,
 
I am testing on the IP address antispoof function in Xen.
Finally, I make it working on Xen3.0 on CentOS5.4.  This is the original version come with CenOS.
 
What I need to do is : -
1) For DomU config, add vif = [ "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow forwarding to use iptables.
 
I observed that when I start a new domain with the ip defined in vif, it will add an iptables rule under Forward section automatically.  This make IP anti-spoof working.
 
However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not working.  I found out that the iptables rule under network-bridge has changed
 
For anti-spoof sectionin of network-bridge script of xen3.4.2, it has removed
 
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT". 
 
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
    iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
}
Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}
 
Any reason for Xen3.4.2 to remove this filtering rule?  Is it safe that I add this rule to Xen3.4.2 in order to make anti-spoof working?
_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>