On Thu, Jul 26, 2012 at 2:38 AM, Oliver Francke <[email protected]> wrote: > Hi *, > > as there are many guys around here with OVS and qemu-virtualization I think > it's the right place to ask ;) > > Currently I have some basic rulesets ala: > > # --- 8-< --- > ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 > nw_dst=224.0.0.0/24 priority=40000 action=drop" > ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 dl_src=${MAC} > nw_src=${IP} priority=39000 action=resubmit("${PORT}",1)" > ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 priority=100 > action=drop" > > ovs-ofctl add-flow vmbr0 "in_port="${PORT}" table=1 priority=100 > action=normal" > # --- 8-< --- > > that is: drop some broadcasts, allow VM's configured MAC + IP to jump to > next table, and there place some additional rules, if any. > > This works, I see no more traffic if I do some changing of eth0's > MAC-address or changing my VM's IP. Fine. > > Now there are evil characters around :-\ > My enemy is arp-poisoning via ettercap or arpspoof. Programs that are > available in deb-packages. > > Well, what do you do against mangled payload: > > # --- 8-< --- > Hardware type: Ethernet (0x0001) > Protocol type: IP (0x0800) > . > . > Sender MAC address: 00:f1:70:00:38:b0 (00:f1:70:00:38:b0) > Sender IP address: 192.168.1.30 (192.168.1.30) > # --- 8-< --- > > whereas the senders MAC is correct, and the IP is faked, it's from the VM I > want to attack. > > Is there any way in OVS to detect via offset/pattern/whatever such a mess? > > Or administer a static table in OVS with valid MACs <-> IPs?
Well you can match on the IPs and MACs in the payload of ARP packets using flows and drop anything that doesn't hit. _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
