WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xense-devel] cannot filter on vif* interfaces using iptables?

To: Claudio Fleiner <xensource@xxxxxxxxxxx>
Subject: Re: [Xense-devel] cannot filter on vif* interfaces using iptables?
From: Reiner Sailer <sailer@xxxxxxxxxx>
Date: Mon, 7 Aug 2006 09:34:27 -0400
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 07 Aug 2006 06:34:44 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <2ab57d808bfe0764bba5cd1fdac8897d-vmh@xxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

Hi Claudio,

I am currently writing IP tables filters to enfoce the Xen mandatory access control framework on network packets in any of the Xen networking options (bridge, routing, nat). Physdev seems to work for me in Xen bridging mode. See below.

> Everything works fine except that it looks like the kernel does not
> know the virtual interface a packet comes from anywhere iptables
> gets a hold of them (if I log the packets I either see eth1 and eth0,
> or one of the interfaces has no name, I never see vif*). I am using
> kernel 2.6.16.13-xen0 compiled from the XEN source (latest development
> branch as of two weeks ago).
>
> As suggested by Gerd a few weeks ago I set CONFIG_BRIDGE_NETFILTER=y
> and CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y but even then the logs just look
> like this no matter into which table I insert the LOG option:

Your rules do not show the PHYSEV matching rules. Compiling the filter is not enough. In briding mode, the following rules work fine to accept all packets from vif0.2 to vif0.3:

/sbin/iptables -A FORWARD -m physdev --physdev-in vif0.2 --physdev-out vif0.3 -j ACCEPT
/sbin/iptables -A FORWARD -m physdev --physdev-in vif0.3 --physdev-out vif0.2 -j ACCEPT

>
> Any hints on how to insert a rule that would drop all packets from a
> certain virtual
> interface greatly appreciated! I.e. something like
>
> -A RH-Firewall-1-INPUT -i vif2.0 --dport 80 -j DROP

>
> Thanks, Claudio
>


The following should work to drop packets on vif02:
/sbin/iptables -A INPUT -m physdev --physdev-in vif0.2 -j DROP

The -i and -o iptables options work ONLY on routed packets. The --physdev-xx options work in Xen bridging mode.

Does this help?

Reiner
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
<Prev in Thread] Current Thread [Next in Thread>