Hi folks, I started testing the antispoof feature of xen stable (2.0.7). I am stuck with it. I have setup a standard bridged environment. I understood it like this: in domU config I set up the virtual NIC like vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100'' ] Then I configure /etc/network/interface of this domU to show the same IP address for eth0. After restarting the physical machine with xend-config.sxp saying (vif-antispoof yes) the domU should still be able to reach everything like it did before. But it does not. From domU I can ping the bridge it is connected to (that is, eth0 of dom0), but I cannot ping any other host on the same subnet the physical machine is on nor any host on the internet. There is something I am overlooking, right? Any hint or help would be greatly appreciated. I have googled and looked in the docs, but found nothing. Dirk _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Dirk, I also had problems getting it to work when I tried it some months ago. As far as I can remember I had just the same symptoms as you. In order to get have the iptables correctly setup by vif-bridge in antispoof-mode the kernel must have the pysdev option in the netfilter section enabled and/or loaded as a module. When compiled into the kernel the line in the .config -file should look lite this: CONFIG_IP_NF_MATCH_PHYSDEV=y After recompling and installing a new Dom0-kernel it worked just fine. On 11/1/05, Dirk H. Schulz <dirk.schulz@kinzesberg.de> wrote:> > Hi folks, > > I started testing the antispoof feature of xen stable (2.0.7). I am > stuck with it. > > I have setup a standard bridged environment. > > I understood it like this: in domU config I set up the virtual NIC like > > vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100 <http://192.168.0.100>'' ] > > Then I configure /etc/network/interface of this domU to show the same IP > address for eth0. > > After restarting the physical machine with xend-config.sxp saying > (vif-antispoof yes) > > the domU should still be able to reach everything like it did before. > But it does not. From domU I can ping the bridge it is connected to > (that is, eth0 of dom0), but I cannot ping any other host on the same > subnet the physical machine is on nor any host on the internet. > > There is something I am overlooking, right? > > Any hint or help would be greatly appreciated. I have googled and looked > in the docs, but found nothing. > > Dirk > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- Mats Engstrom, Nerdlabs Consulting , http://www.nerdlabs.se _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Mats, Mats Engstrom schrieb:>Hi Dirk, > I also had problems getting it to work when I tried it some months ago. As >far as I can remember I had just the same symptoms as you. > In order to get have the iptables correctly setup by vif-bridge in >antispoof-mode the kernel must have the pysdev option in the netfilter >section enabled and/or loaded as a module. When compiled into the kernel the >line in the .config -file should look lite this: >CONFIG_IP_NF_MATCH_PHYSDEV=y > After recompling and installing a new Dom0-kernel it worked just fine. > >Yes, you are right, that''s it. Thanks! But one more question: How did you find out THAT? I am not really into netfilter yet, and there is no hint in the docs I found. Ah, and still on more question: Did you test/do you know if the antispoof feature prevents IP spoofing only or ARP spoofing as well? Dirk _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Possibly Parallel Threads
- antispoof with Xen 3
- XEN 4.0.1 bridged network - antispoof Option does not work
- xl create don''t register IP in xenstore. vif-common.sh antispoof scripts fails [SOLVED]
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
- Bug#698841: xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on