WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] ip antispoof in Xen 3.4.2

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] ip antispoof in Xen 3.4.2
From: KC LO <kclo2000@xxxxxxxxx>
Date: Thu, 24 Jun 2010 03:49:02 +0800
Delivery-date: Wed, 23 Jun 2010 12:50:33 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=eGIgmxXZf2cbYTHd3gAIJo+3r7Kk9Z/1q0PfDJ58hHg=; b=Bko1EhQUYYbU3SJBRY1AHlWlK1l6x+qiE3H4lWj1kPKqNSi8HlouorPssFgGP39gvG mXbhJVb/DyMobix0byE3XigzvSvipT7Xuz4q/8VFMNmDxcKOnrSf+unfD0tH50FLFuwO ScfoEikML7p58WNtMw26ieNFgup86ocMr4VlA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=N3FyBcPidrjcW/ydv9lbv4WlnjTGQdSyirBBehi5la1VfVOGaPDlMgDSW9NP/Ah23L LX8rGwW7m8e9MJrrYkD6BvNxwLLHTOABYYQHaCsdNay1WI3FokMLdWwO5eQNnq6WqM5w alSWAX2WBwckcZNRdmdhVSNerD99YFUwmFdzc=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi all,
 
I am testing on the IP address antispoof function in Xen.
Finally, I make it working on Xen3.0 on CentOS5.4.  This is the original version come with CenOS.
 
What I need to do is : -
1) For DomU config, add vif = [ "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow forwarding to use iptables.
 
I observed that when I start a new domain with the ip defined in vif, it will add an iptables rule under Forward section automatically.  This make IP anti-spoof working.
 
However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not working.  I found out that the iptables rule under network-bridge has changed
 
For anti-spoof sectionin of network-bridge script of xen3.4.2, it has removed
 
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT". 
 
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
    iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
}
Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}
 
Any reason for Xen3.4.2 to remove this filtering rule?  Is it safe that I add this rule to Xen3.4.2 in order to make anti-spoof working?
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>