[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen anti-spoof firewall issue with routing on a VM


  • To: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: Thomas Goirand <thomas@xxxxxxxxxx>
  • Date: Tue, 10 Jan 2012 02:59:47 +0800
  • Delivery-date: Mon, 09 Jan 2012 19:00:14 +0000
  • Domainkey-signature: a=rsa-sha1; c=simple; d=goirand.fr; h=message-id :date:from:mime-version:to:subject:content-type :content-transfer-encoding; q=dns; s=postfix; b=uwoiBnORbfoJG5di SWvffz++10dYi9g+dkgmvqJWaWTcrd1HiscbD8LhvX8I1ulN5ynVg2V+WbmE2rdw HkRRTOd3DmNrNNfHfSLJliG8Ym1Kiys+yZbV/xjv9QRwmapOv1qxngzKra+ANuec iH/lkbG9VTa+CTt9/vZ9PzBnTHA=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Hi,

On one of our server, we have a VM which does BGP routing, and routes a
full class C (let's pretend the network is 12.34.56.0/24). I'm using Xen
4.0 from Debian Squeeze (unmodified package). We use, in
/etc/xen/xend-config.sxp:

(network-script 'network-bridge antispoof=yes')

The issue is that the anti-spoof firewall of Xen prevents the networking
to work for other VMs which will use 12.34.56.1 as gateway. If I do:

iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT

of course, it does work, but that's not what I want. I really want to
have the anti-spoofing feature to be there. Also, if I add let's say
12.34.56.5 to the xen startup file of the VM that does the BGP routing,
it doesn't work (eg: 12.34.56.5, which is used by another VM, is still
not routed).

What's the solution here?

Also, is there a plan for ipv6 support on this anti-spoof firewall?

If there's things to contribute so that the above can be done, I'd be
happy to work on that, so that anti-spoofing can be done.

Last, if I switch to xl instead of xm, is there a way to still have the
anti-spoof feature which is so nice?

Cheers,

Thomas Goirand

P.S: Has anyone tried the new XCP packages available in Debian SID since
Christmas? I've uploaded last week-end v1.3-15 in SID, after a long work
with Mike and Jon on it, and I believe it works quite well now, but
feed-back would be appreciated! Please see the QA page:

http://qa.debian.org/developer.php?login=pkg-xen-devel@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.