This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] ebtables tying mac to ip problem

Thanks for the insight,

Unfortunately i still cant get it to work. it seems to be a problem with  /sbin/ebtables -P FORWARD DROP

if i change this to  /sbin/ebtables -P FORWARD  then it starts working again but i can change ip address etc on the guest

Does the vif-bridge patch still apply for this setup?

Will i start from scratch and try to build up a set of rules for this situation? i'm sure this will fit into most xen networking situations as this setup is popular.


On Fri, Apr 3, 2009 at 10:30 AM, Rafał Kupka <rkupka+Listy.Xen@xxxxxxxxxxxxx> wrote:
On Tue, Mar 31, 2009 at 07:39:31PM +0100, David Markey wrote:

> I'm trying to tie mac addresses to IP addresses to stop ip and mac
> spoofing on my xen host running debian5.0 amd64. I've been trying to
> follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600
> <http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600>

That's based on quite non-standard Xen network setup:
- dom0 as a router,
 two interfaces eth0 (outside) and xen-br0 (private network) for Xen
- domU during startup joins xen-br0
- dom0 do NAT, firewalling and finally forwards domUs traffic by eth0
 connection to Internet

My old email in URL above lacks such information, sorry.

> The DomU's network gets blocked both inward and outward.

I think that there is yet another problem with dom0 connectivity. Bridge
eth0 in your setup is shared by Dom0 interface and DomUs vifs?

> I've patched my vif-bridge with the instructions on that page any they
> seem to be applied correctly.
> The network is a simple network with eth0( bridge with
> peth0 as the physical interface.

Thats the difference that matters -- ebtables rules blocks dom0 arp, and
any traffic from peth0.

> There are the commands I issued at the start

Please try to extend that initial rules by permitting traffic from
peth0. Untested, but should help.

> Paris:~# /sbin/ebtables -N eth0
> Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0"
> --log-ip --log-arp -j DROP

/sbin/ebtables -A INPUT --logical-in peth0 -j ACCEPT

> Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0

/sbin/ebtables -A FORWARD --logical-in peth0 -j ACCEPT

> Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0
> Paris:~# /sbin/ebtables -P INPUT DROP
> Paris:~# /sbin/ebtables -P FORWARD DROP

> Log:
> [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01
> MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800,
> DST=00:16:3e:0c:8f:80  ARP IP DST=

Packet from interface peth0 (IN=peth0), there was no rules for that
interface before.

Great software without the knowledge to run it is pretty useless.
(Linux Gazette #1)

Xen-users mailing list

Xen-users mailing list