Comments on: Preventing ip conflicts in xen

By: xdaan

xdaan — Sun, 11 Apr 2010 23:15:46 +0000

Hi,

I’ve tried this solution, but unfortunately it seems to me that it doesn’t give the expected results. Problem with IP spoofing is still there.

So if you really want to prevent stealing IP adressess inside of XEN domU, here is my tested an 120% working solution – http://xdaan.envirobyte.sk/rand.php?x=xen-ip-conflict

By: Avoid IP conflicts in Xen DomU | Planet Admon

Avoid IP conflicts in Xen DomU | Planet Admon — Thu, 12 Nov 2009 09:28:05 +0000

[...] This post is original created by Branko at his blog site. I copied his content, and updated some settings so that it can work in CentOS-5.4). Share [...]

By: Branko

Branko — Fri, 17 Apr 2009 16:55:29 +0000

So after a while of chating we figured this is infact the correct diff for centos 5.3 I'm including my whole vif-bridge script for centos 5.3 that eventualy worked: Centos 5.3 vif-bridge script

By: Anand Gupta

Anand Gupta — Thu, 16 Apr 2009 23:16:00 +0000

Thanks for the reply.

Yes they seem to be working.

ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: new, entries: 0, policy: ACCEPT

Here is the diff of the changes i made, if its of any help.

diff -u vif-bridge vif-bridge-custom
— vif-bridge 2009-04-14 23:35:08.000000000 -0400
+++ vif-bridge-custom 2009-04-15 01:33:39.000000000 -0400
@@ -57,15 +57,37 @@
online)
setup_bridge_port “$vif”
add_to_bridge “$bridge” “$vif”
+ ebtables -N $vif
+ ebtables -P $vif DROP
+ ebtables -A INPUT -i $vif -j $vif
+ ebtables -A FORWARD -i $vif -j $vif
+ ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT
+
+ if [ ! -z "$ip" ]
+ then
+ for oneip in $ip
+ do
+ ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT
+ ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT
+ ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT
+ done
+
+ ebtables -A $vif –log-prefix=”arp-drop” –log-arp -j DROP
+
+ fi
;;

offline)
do_without_error brctl delif “$bridge” “$vif”
do_without_error ifconfig “$vif” down
+ do_without_error ebtables -D INPUT -i $vif -j $vif
+ do_without_error ebtables -D FORWARD -i $vif -j $vif
+ do_without_error ebtables -F $vif
+ do_without_error ebtables -X $vif
;;
esac

-handle_iptable
+#handle_iptable

log debug “Successful vif-bridge $command for $vif, bridge $bridge.”
if [ "$command" == "online" ]

Is is possible that we can communicate over email ?

By: Branko

Branko — Thu, 16 Apr 2009 15:41:05 +0000

I will look into it, thanks for pointing this out. Can you tell me if ebtables are working properly on your system? Try ebtables -L

By: Anand Gupta

Anand Gupta — Wed, 15 Apr 2009 18:45:29 +0000

The diff doesn’t with the vif-script coming with centos 5.3, xen 3.0.3-80. So i made the changes by hand. Now domU won’t boot.

Error: Device 0 (vif) could not be connected. /etc/xen/scripts/vif-bridge-custom failed; error detected.

Is there a way to find out what the error is exactly ? I tried to look at the xend log files, however can’t seem to find anything there.

Thanks

By: David

David — Tue, 07 Apr 2009 23:01:40 +0000

Can you amend this to stop MAC spoofing also?

By: Branko

Branko — Tue, 04 Nov 2008 09:58:32 +0000

Please notice that as of today
ebtables -A $vif –log-prefix=”arp-drop” –log-arp -j DROP
in script above is moved outside of while loop for adding ip addresses. Thing is if it stays inside of the loop drop statement will be added after first added ip address thus rendering all ip addresses added afterwards inaccessible.

By: Multiple xen network interfaces | - [ t o i c . o r g ] -

Multiple xen network interfaces | - [ t o i c . o r g ] - — Mon, 06 Oct 2008 21:32:49 +0000

[...] if you wish to use ip conflict prevention you must add additional mac section in vif [...]

By: Alesandro

Alesandro — Thu, 25 Sep 2008 13:01:59 +0000

imas supač blogač:) ..sorry..al sam morao spamat malo ..idem hakirat joomle ..LOL