WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Antispoof and HVM [SOLVED]

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Antispoof and HVM [SOLVED]
From: Andrey <basketboy@xxxxx>
Date: Mon, 01 Mar 2010 00:58:28 +0300
Delivery-date: Sun, 28 Feb 2010 13:59:41 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4B8AD8FB.4030407@xxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4B8AD8FB.4030407@xxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.23 (X11/20090817)
Solved the problem. In hvm domU case iptables rule for corresponding tap interface should be added:

 :INPUT ACCEPT [3126:359694]
 :FORWARD DROP [974:187815]
 :OUTPUT ACCEPT [973:266082]

 -A FORWARD -m physdev  --physdev-in peth1 -j ACCEPT
 -A FORWARD -m physdev  --physdev-in vif60.0 -j ACCEPT
 -A FORWARD -m physdev  --physdev-in tap60.0 -j ACCEPT

Andrey пишет:
Hello,

Does antispoof mechanism work in network-bridge with HVM domUs?

It seems no. There are the following iptables rules that were added after starting hvm domU with FreeBSD:

:INPUT ACCEPT [3126:359694]
:FORWARD DROP [974:187815]
:OUTPUT ACCEPT [973:266082]

-A FORWARD -m physdev  --physdev-in peth1 -j ACCEPT
-A FORWARD -m physdev  --physdev-in vif60.0 -j ACCEPT

peth1 is the physical interface on domO which is connected to eth1 bridge, vif60.0 is domU interface. After starting hvm domU it is inacessible via network.

If I change default policy of FORWARD policy to accept everything is fine. With PV domUs current antispoof scheme works fine.

Where is the problem?

With regards, Andrey

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>