So, I was testing Xen's Auto-Spoof mechanisim on a rhel5.1 box last weekend.
(I accidentally posted this to the RHELv4 list- this is just a repost to
the correct people)

I set it up the usual way, I edit /etc/xen/xend-config.sxp and add

(network-script 'network-bridge antispoof=yes')


and then I edit the config file for my DomU to add the following vif,

vif = ['ip=192.168.1.47,bridge=xenbr0']

it puts reasonable looking rules in the FORWARD chain, but it doesn't actually
do any blocking. The guest can still spoof at will. Running iptables -V
shows that packets sent through the bridge do not hit the FORWARD chain
at all.

I note that /proc/sys/net/bridge/bridge-nf-call-iptables is false.

echo 1 >/proc/sys/net/bridge/bridge-nf-call-iptables

fixes the problem. packets are allowed or dropped as expected.

this is a very important thing for those of us providing service to untrusted
users.

Perhaps this should be done by the RHEL version of
/etc/xen/scripts/network-bridge, if antispoof is set to yes? for now,
that's what I've done on my boxes. Could this be made default for future
versions of RHEL?

thanks.


--
Luke Crawford
http://prgmr.com/~lsc

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list