Hi KC LO,
The rules should work with XEN 3.4.2 or even XEN 4.0.0 as well, as they
rely on the bridging code in the kernel, which is not dependent on the
XEN version.
I''ve got no idea why this behaviour has changed, but if the old
behaviour is ok for you, you should be able to use those rules manually.
Regards,
Felix
P.S.: Those rules will not really deny IP / ARP spoofing at all...
Am 23.06.2010 21:49, schrieb KC LO:> Hi all,
>
> I am testing on the IP address antispoof function in Xen.
> Finally, I make it working on Xen3.0 on CentOS5.4. This is the
> original version come with CenOS.
>
> What I need to do is : -
> 1) For DomU config, add vif = [
> "ip=11.1.1.1,mac=00:16:36:23:9e:bd,bridge=xenbr0"]
> 2) Under /etc/xen/xend-config.sxp, I need to append antispoof=yes to
> the end of the "network-script"
> (network-script ''network-bridge antispoof=yes'')
> 3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to allow
> forwarding to use iptables.
>
> I observed that when I start a new domain with the ip defined in vif,
> it will add an iptables rule under Forward section automatically.
> This make IP anti-spoof working.
>
> However, when I upgrade Xen3 to Xen 3.4.2, the above functions is not
> working. I found out that the iptables rule under network-bridge has
> changed
>
> For anti-spoof sectionin of network-bridge script of xen3.4.2, it has
> removed
>
> "iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT".
>
> Xen 3.0 anti-spoof section,
> # Set the default forwarding policy for $dev to drop.
> # Allow forwarding to the bridge.
> antispoofing () {
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
> iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
> }
> Xen3.4.2 anti-spoof section
> # Set the default forwarding policy for $dev to drop.
> # Allow forwarding to the bridge.
> antispoofing () {
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
> }
>
> Any reason for Xen3.4.2 to remove this filtering rule? Is it safe
> that I add this rule to Xen3.4.2 in order to make anti-spoof working?
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users