Kristoffer Egefelt
2011-Mar-23 10:14 UTC
[Xen-users] XCP - openvswitch network isolation / antispoofing
Hi list, Searching the xen and openvswitch forums I''ve not been able to clarify if anti spoofing really is possible using the openvswitch included in XCP 1.0. If anybody figured it out, would you care to explain: 1) How? 2) Will the configuration persist after xcp host reboot? 3) Will the configuration persist after VM migration? If not - are there any other possibilities other than disabling openvswitch and using the good old bridges? Regards Kristoffer _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
George Shuklin
2011-Mar-23 12:11 UTC
Re: [Xen-users] XCP - openvswitch network isolation / antispoofing
See the xen-api@lists.xensource.com maillist, I post an antispoofing patch for XCP early there (no recompilation, just few lines in script). It will persist between VM reboots and migrations. And no, there is no antispoofing in XCP by default, but it contain tools, allowing easy implementation of it. On 23.03.2011 13:14, Kristoffer Egefelt wrote:> Hi list, > > Searching the xen and openvswitch forums I''ve not been able to clarify > if anti spoofing really is possible using the openvswitch included in > XCP 1.0. > > If anybody figured it out, would you care to explain: > > 1) How? > 2) Will the configuration persist after xcp host reboot? > 3) Will the configuration persist after VM migration? > > If not - are there any other possibilities other than disabling > openvswitch and using the good old bridges? > > Regards > Kristoffer > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Kristoffer Egefelt
2011-Mar-30 14:47 UTC
[Xen-users] Re: XCP - openvswitch network isolation / antispoofing
Hi George,
I tried your patch on XCP 1.0 but the rules does not seem to work.
The vm is on a vlan, that maybe part of the problem?
Do you have an idea why its not working in my case?
The vswitch/bridge is xapi5
The vlan/bridge is on xapi13 (however theres no xapi13 switch, only a port
on xapi5...)
***From the messages log when the vm is booting:*
Mar 30 15:40:19 node0106 scripts-vif: VIF
uuid=b2f59aca-69c0-6ab8-d450-7e68943a206a device=vif31.0 ovs_port=8
bridge=xapi5 restricted to use IPv4 10.10.8.73 only with mac
a6:1e:29:3d:69:51 address.
Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5
in_port=8 priority=39000 dl_type=0x0800 nw_src=10.10.8.73
dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal
Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5
in_port=8 priority=38500 dl_type=0x0806 dl_src=a6:1e:29:3d:69:51
idle_timeout=0 action=normal
Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5
in_port=8 priority=38000 idle_timeout=0 action=drop
*ovs-ofctl dump-flows xapi5 in_port=8:*
Mar 30 15:40:39|00001|ofctl|INFO|connecting to
unix:/var/run/openvswitch/xapi5.mgmt
stats_reply (xid=0x7cfc2): flags=none type=1(flow)
cookie=0x0, duration_sec=20s, duration_nsec=251000000ns, table_id=1,
priority=39000, n_packets=0, n_bytes=0,
ip,in_port=8,dl_src=a6:1e:29:3d:69:51,nw_src=10.10.8.73,actions=NORMAL
cookie=0x0, duration_sec=20s, duration_nsec=244000000ns, table_id=1,
priority=38500, n_packets=0, n_bytes=0,
arp,in_port=8,dl_src=a6:1e:29:3d:69:51,actions=NORMAL
cookie=0x0, duration_sec=20s, duration_nsec=237000000ns, table_id=1,
priority=38000, n_packets=0, n_bytes=0, in_port=8,actions=drop
*ovs-ofctl show xapi5:*
Mar 30 16:23:33|00001|ofctl|INFO|connecting to
unix:/var/run/openvswitch/xapi5.mgmt
features_reply (xid=0x54910): ver:0x1, dpid:00005a976383e68c
n_tables:2, n_buffers:256
features: capabilities:0x87, actions:0xfff
1(bond0): addr:00:23:20:b7:47:73, config: 0, state:0
2(eth1): addr:00:26:b9:f9:cd:e2, config: 0, state:0
current: 1GB-FD FIBER AUTO_NEG
advertised: 1GB-FD AUTO_NEG
supported: 10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER
AUTO_NEG
3(eth0): addr:00:26:b9:f9:cd:e0, config: 0, state:0
current: 1GB-FD FIBER AUTO_NEG
advertised: 1GB-FD AUTO_NEG
supported: 10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER
AUTO_NEG
4(xapi6): addr:00:26:b9:f9:cd:e0, config: 0, state:0
5(xapi13): addr:00:26:b9:f9:cd:e0, config: 0, state:0
6(xapi8): addr:00:26:b9:f9:cd:e0, config: 0, state:0
7(xapi2): addr:00:26:b9:f9:cd:e0, config: 0, state:0
8(vif31.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
9(vif17.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
10(vif18.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
11(vif32.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
LOCAL(xapi5): addr:00:26:b9:f9:cd:e0, config: 0, state:0
Mar 30 16:23:33|00002|ofctl|INFO|connecting to
unix:/var/run/openvswitch/xapi5.mgmt
get_config_reply (xid=0x5a12a): miss_send_len=0
*xe network-list name-label=VLAN8:*
uuid ( RO) : 10af916d-22bf-bfd3-5c24-e3d49e39fe13
name-label ( RW): VLAN8
name-description ( RW): Setup sandbox
bridge ( RO): xapi13
*xe network-list name-label="Bond 0+1"*
uuid ( RO) : 8197709c-2e1c-88d2-f51e-48a15793c954
name-label ( RW): Bond 0+1
name-description ( RW):
bridge ( RO): xapi5
Best regards
Kristoffer
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users