Xen project Mailing List

[Xen-API] XCP antispoofing patch [v2]

From: George Shuklin <george.shuklin@xxxxxxxxx>

Date: Fri, 23 Sep 2011 19:44:59 +0400

Delivery-date: Fri, 23 Sep 2011 08:45:24 -0700

List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>

Good day, everyone. This patch control usage of ipv4 addresses of virtual machines. It must be applied to all hosts of pool and require /usr/bin/get_ip script. This behaviour differ from last time I post earlier version of patch. Script shall accept uuid of VIF and return or IP address, or nothing. It shall never freeze or output any kind of error messages. Here simple of output: $ get_ip 48b541ae-1403-ddbb-4122-868c816cbec5 10.1.1.2 $ get_ip 9ade74b4-87b0-97b5-e02c-5d8d870438bd $ get_ip somerandominput Changelog: * Now works fine with trunk vlans (thanks to Ben Pfaff) * Now clearly eliminating every unauthorised traffic, including the wrong ARP announces (thanks to Alexandre Bezroutchko for correct ARP line) * Fixed rules non-removal on multi-homed VM (two VIFs per one VM caused not removing second set of rules) Notes: We disallow 'collision detection' ARP requests and DHCP requests. If you need them - you need to create separate rules. Also, this patch DOES NOT SUPPORT ipv6. Instructions: 1) This patch is against XCP 1.0; when XCP 1.1 will be released, I post adopted version. 2) Put on every host in the pool get_ip script to /usr/bin, see notes above. You need to create this script by yourself. Simplest (from config file) will looks like: #!/bin/sh grep $1 /etc/xensource/ip.conf|awk '{print $2}' Our script is using external database to get IP. 3) check if this script works fine without normal path environment. Note, if get_ip will freeze/make error, VM's will not start, even those, who have no IP restriction. 4) Log to host via ssh, download/copy script locally. 5) Make backup copy 5) Apply patch: patch -b -p0 <antispoofing.v2.patch 6) Repeat step 6 on every host in the pool. 7) Restart/migrate every machine needed to be protected. Reverting: 1) Urgent rules cleaning can be done: a) ovs-ofctl del-flows "in_port=2" (=3, =4 and so on). b) by replacing /usr/bin/get_ip by symlink to /bin/true and remigrating/rebooting every affected VM 2) Permanent removing can be done by moving back /etc/xensource/script/vif.orig to /etc/xensource.script/vif Rules can be seen by typing ovs-ofctl dump-flows xenbr0 (xenbr1 and so on, depends on your network configuration, for pure virtual networks interface is xapi0, xapi1,...). PS Glad to hear some comments.

Attachment: antispoofing.v2.patch
Description: Text Data

_______________________________________________ xen-api mailing list xen-api@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/mailman/listinfo/xen-api

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.