<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 1 April 2014 08:04, shiva m <span dir="ltr"><<a href="mailto:anjaneya2@gmail.com" target="_blank">anjaneya2@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><div><div><div><div>Thank you for response. I tried adding security-groups from dashboard, but it doesnt help. I was trying to spoof a VM instance with spoof source MAC and spoof source IP, but the packet is not reaching br-int. If I give proper source MAC and proper source IP, the packet reaches br-int and things work normal. I observed Openstack stops spoof packets which are not originating from VM instance before reaching br-int (at tap interface).</div>
</div></div></div></div></div></blockquote><div><br></div><div>In this case applying security groups won't help at all. Both MAC and IP Spoofing protection is enabled on the hypervisor level by libvirt as part of the instance instantiation. More details here: <a href="http://libvirt.org/firewall.html">http://libvirt.org/firewall.html</a></div>
<div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div> I need help to send a spoof packet from VM. Is there any way to disable iptable rules.<br>
</div></div></div></div></div></div></blockquote><div><br></div><div>There is, but it's global for that compute host - the templates that apply the network filters to protect against spoofing need to be removed.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div></div>
</div>
</div>Also adding security group rules using command line and using dash-board are they same?<br></div></div></div></blockquote><div><br></div><div>Yes - almost. I don't know if Horizon's interface to security groups is still going through the nova api in Icehouse. If it is, the application of the rules is only ingress whereas through the neutron CLI you're able to define ingress and egress rules. On the CLU you're also able to be more granular in the application of your rules/groups.</div>
<div><br></div><div>From a use-case standpoint it may be interesting to understand why you need to allow spoofing - if you don't mind, can you describe the purpose? We may be able to help you find an alternative method.</div>
</div></div></div>