Giovanni Bellac
2010-Nov-03 10:42 UTC
[Xen-users] XEN 4.0.1 bridged network - antispoof Option does not work
Hello with XEN 3.4.x antispoof=yes works on a bridge setup. I am using this line in xend-config.sxp (network-script ''network-bridge antispoof=yes'') It creates this under IPTABLES FORWARD chain: ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in peth0 Under XEN 4.0.1 it is not working, it does not create a IPTABLES rule. Customers can "steal" IP addresses. There is a part in the network-bridge script of XEN 4.0.1 about anitspoof. But I think that above line in xend-config.sxp is not working anymore with XEN 4.0.1. setup: Debian 5.0 XEN 3.4.3 self compiled (2.6.18.x) XEN 4.0.1 self compiled (2.6.32.x) Regards Giovanni _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Pryor
2010-Nov-15 00:57 UTC
[Xen-users] re: XEN 4.0.1 bridged network - antispoof Option does not work
Is the kernel config value below, associated with the antispoof feature builtin to the mainline kernel for ? Is it only relevant for a bridged interface? Squeeze $ sudo grep -i physdev /boot/config-2.6.32-5-xen-amd64 CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m JF 2.6.32.x # grep -i physdev /boot/config-2.6.32.24 CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m -- Mark _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Peter Braun
2010-Nov-15 13:07 UTC
Re: [Xen-users] XEN 4.0.1 bridged network - antispoof Option does not work
Same behaviour here - antispoof not working in 4.0.1 Br Peter 2010/11/3 Giovanni Bellac <giovannib1979@ymail.com>:> Hello > > with XEN 3.4.x antispoof=yes works on a bridge setup. > I am using this line in xend-config.sxp > (network-script ''network-bridge antispoof=yes'') > > It creates this under IPTABLES FORWARD chain: > ACCEPT all -- anywhere anywhere PHYSDEV match > --physdev-in peth0 > > > Under XEN 4.0.1 it is not working, it does not create a IPTABLES rule. > Customers can "steal" IP addresses. > There is a part in the network-bridge script of XEN 4.0.1 about anitspoof. > But I think that above line in xend-config.sxp is not working anymore with > XEN 4.0.1. > > setup: > Debian 5.0 > XEN 3.4.3 self compiled (2.6.18.x) > XEN 4.0.1 self compiled (2.6.32.x) > > Regards > Giovanni > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Possibly Parallel Threads
- antispoof with Xen 3
- vif-antispoof
- Xen 4.0 - Support for Citrix WHQL-certified Windows PV drivers
- Xen 4.0 - Support for Citrix WHQL-certified Windows PV drivers
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh