Good day.
I've start to looking to XCP rules, applied with locked mode
(antispoofing). I looking really strage.
Here output of ovs-ofctl dump-flows xenbr1 for single vm with following
settings on vif:
locking-mode ( RW): locked
ipv4-allowed (SRW): 31.186.98.19
ipv6-allowed (SRW): a100::ff00
ovs-ofctl dump-flows xenbr0|sort -k 8 -r
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=296.668s, table=0, n_packets=0, n_bytes=0,
priority=8000,udp,in_port=3,dl_src=a6:9a:38:42:e0:ae,tp_dst=67
actions=NORMAL
cookie=0x0, duration=296.654s, table=0, n_packets=0, n_bytes=0,
priority=7000,arp,in_port=3,dl_src=a6:9a:38:42:e0:ae,nw_src=0.0.0.0,arp_sha=a6:9a:38:42:e0:ae
actions=NORMAL
cookie=0x0, duration=296.641s, table=0, n_packets=0, n_bytes=0,
priority=7000,arp,in_port=3,dl_src=a6:9a:38:42:e0:ae,nw_src=31.186.98.19,arp_sha=a6:9a:38:42:e0:ae
actions=NORMAL
cookie=0x0, duration=296.628s, table=0, n_packets=0, n_bytes=0,
priority=6000,ip,in_port=3,dl_src=a6:9a:38:42:e0:ae,nw_src=31.186.98.19
actions=NORMAL
cookie=0x0, duration=296.615s, table=0, n_packets=0, n_bytes=0,
priority=8000,icmp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00,icmp_type=135,nd_sll=a6:9a:38:42:e0:ae
actions=NORMAL
cookie=0x0, duration=296.602s, table=0, n_packets=0, n_bytes=0,
priority=8000,icmp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00,icmp_type=136,nd_target=a100::ff00
actions=NORMAL
cookie=0x0, duration=296.589s, table=0, n_packets=0, n_bytes=0,
priority=5000,icmp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00
actions=NORMAL
cookie=0x0, duration=296.576s, table=0, n_packets=0, n_bytes=0,
priority=5000,tcp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00 actions=NORMAL
cookie=0x0, duration=296.563s, table=0, n_packets=0, n_bytes=0,
priority=5000,udp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00 actions=NORMAL
cookie=0x0, duration=296.55s, table=0, n_packets=0, n_bytes=0,
priority=7000,icmp6,in_port=3,icmp_type=135 actions=drop
cookie=0x0, duration=296.537s, table=0, n_packets=0, n_bytes=0,
priority=7000,icmp6,in_port=3,icmp_type=136 actions=drop
cookie=0x0, duration=296. 524s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=134 actions=drop
cookie=0x0, duration=296.512s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=137 actions=drop
cookie=0x0, duration=296.499s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=146 actions=drop
cookie=0x0, duration=296.48s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=151 actions=drop
cookie=0x0, duration=296.489s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=147 actions=drop
cookie=0x0, duration=296.472s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=152 actions=drop
cookie=0x0, duration=296.463s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=153 actions=drop
cookie=0x0, duration=296.455s, table=0, n_packets=0, n_bytes=0,
priority=4000,in_port=3 actions=drop
cookie=0x0, duration=1130.774s, table=0, n_packets=6198,
n_bytes=998970, priority=0 actions=NORMAL
Set of questions:
1) Why those strange 'icmp_type=X actions=drop' before 'drop all'?
2) Why ipv6 allows only tcp and udp? All other protocols are banned?
3) Enabled by default udp for DHCP is not really good, because sender
can fake source address and send DHCP requests outside network, allowing
to use virtual machine to attack victim with faked source IP address.
_______________________________________________
Xen-api mailing list
[email protected]
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
