Xen users - Nov 2005 - vif-antispoof

Hi folks,

I started testing the antispoof feature of xen stable (2.0.7). I am 
stuck with it.

I have setup a standard bridged environment.

I understood it like this: in domU config I set up the virtual NIC like

    vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100'' ]

Then I configure /etc/network/interface of this domU to show the same IP 
address for eth0.

After restarting the physical machine with xend-config.sxp saying
    (vif-antispoof      yes)

the domU should still be able to reach everything like it did before. 
But it does not. From domU I can ping the bridge it is connected to 
(that is, eth0 of dom0), but I cannot ping any other host on the same 
subnet the physical machine is on nor any host on the internet.

There is something I am overlooking, right?

Any hint or help would be greatly appreciated. I have googled and looked 
in the docs, but found nothing.

Dirk

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Dirk,
 I also had problems getting it to work when I tried it some months ago. As
far as I can remember I had just the same symptoms as you.
 In order to get have the iptables correctly setup by vif-bridge in
antispoof-mode the kernel must have the pysdev option in the netfilter
section enabled and/or loaded as a module. When compiled into the kernel the
line in the .config -file should look lite this:
CONFIG_IP_NF_MATCH_PHYSDEV=y
 After recompling and installing a new Dom0-kernel it worked just fine.


 On 11/1/05, Dirk H. Schulz <dirk.schulz@kinzesberg.de>
wrote:
>
> Hi folks,
>
> I started testing the antispoof feature of xen stable (2.0.7). I am
> stuck with it.
>
> I have setup a standard bridged environment.
>
> I understood it like this: in domU config I set up the virtual NIC like
>
> vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100
<http://192.168.0.100>'' ]
>
> Then I configure /etc/network/interface of this domU to show the same IP
> address for eth0.
>
> After restarting the physical machine with xend-config.sxp saying
> (vif-antispoof yes)
>
> the domU should still be able to reach everything like it did before.
> But it does not. From domU I can ping the bridge it is connected to
> (that is, eth0 of dom0), but I cannot ping any other host on the same
> subnet the physical machine is on nor any host on the internet.
>
> There is something I am overlooking, right?
>
> Any hint or help would be greatly appreciated. I have googled and looked
> in the docs, but found nothing.
>
> Dirk
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


--
Mats Engstrom, Nerdlabs Consulting , http://www.nerdlabs.se


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Mats,

Mats Engstrom schrieb:
>Hi Dirk,
> I also had problems getting it to work when I tried it some months ago. As
>far as I can remember I had just the same symptoms as you.
> In order to get have the iptables correctly setup by vif-bridge in
>antispoof-mode the kernel must have the pysdev option in the netfilter
>section enabled and/or loaded as a module. When compiled into the kernel the
>line in the .config -file should look lite this:
>CONFIG_IP_NF_MATCH_PHYSDEV=y
> After recompling and installing a new Dom0-kernel it worked just fine.
>  
>
Yes, you are right, that''s it. Thanks!

But one more question: How did you find out THAT? I am not really into 
netfilter yet, and there is no hint in the docs I found.

Ah, and still on more question: Did you test/do you know if  the 
antispoof feature prevents IP spoofing only or ARP spoofing as well?

Dirk

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users