The rules should work with XEN 3.4.2 or even XEN 4.0.0 as well, as they
rely on the bridging code in the kernel, which is not dependent on the
XEN version.
I've got no idea why this behaviour has changed, but if the old
behaviour is ok for you, you should be able to use those rules manually.
2) Under /etc/xen/xend-config.sxp, I need to append
antispoof=yes to the end of the "network-script"
(network-script 'network-bridge antispoof=yes')
3) sysctl -w "net.bridge.bridge-nf-call-iptables=1 in order to
allow forwarding to use iptables.
I observed that when I start a new domain with the ip defined in
vif, it will add an iptables rule under Forward section automatically.
This make IP anti-spoof working.
However, when I upgrade Xen3 to Xen 3.4.2, the above functions
is not working. I found out that the iptables rule under
network-bridge has changed
For anti-spoof sectionin of network-bridge script of xen3.4.2,
it has removed
"iptables -A FORWARD -m physdev --physdev-in ${vif0} -j
ACCEPT".
Xen 3.0 anti-spoof section,
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT
}
Xen3.4.2 anti-spoof section
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}
Any reason for Xen3.4.2 to remove this filtering rule? Is it
safe that I add this rule to Xen3.4.2 in order to make anti-spoof
working?
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users