<div dir="ltr"><div><div><div>Hi,<br><br></div>I have figured some way to allow ip spoofing by using Q_USE_SECGROUP = false and changing nova-base.xml file. But I am still struggling to send spoof packets to my router VM. I see my packet is getting blocked at qbr bridge between OVS and VM. Could you please help me, how do I prevent these ebtable rules at qbr bridge to get applied to my packets or how do i stop these ebtables applied at qbr (bridge).<br>
</div><br></div>Thanks,<br>Shiva<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 1, 2014 at 3:42 PM, shiva m <span dir="ltr"><<a href="mailto:anjaneya2@gmail.com" target="_blank">anjaneya2@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>Thank you for response. I am running routing application on one of my VM, I have 3 VMs and my routing application is running on VM2. If I ping VM1 to VM3, I want my application to capture the packet and do some analysis like what kind of packet?is it secure? and just forward it to VM3 without any modifications. I started with simple test case to implement a router application but I stuck with anti-spoofing mechanism of openstack. I understand libvirt apply anti-spoofing security and I am trying 'virsh nwfilter' comands to change filter rules. You have mentioned that it is possible to disable iptable rules globally for compute host, can you please help me how can I disable iptables globally? and what services needs to be re-started?. Can anyone please outline me the steps required to allow spoofing?<br>
<br></div><div>Looking forward for your reply.<br></div><div><br></div>Thanks,<br></div>Shiva<br></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Tue, Apr 1, 2014 at 12:44 PM, Jesse Pretorius <span dir="ltr"><<a href="mailto:jesse.pretorius@gmail.com" target="_blank">jesse.pretorius@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>On 1 April 2014 08:04, shiva m <span dir="ltr"><<a href="mailto:anjaneya2@gmail.com" target="_blank">anjaneya2@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><div><div><div><div>Thank you for response. I tried adding security-groups from dashboard, but it doesnt help. I was trying to spoof a VM instance with spoof source MAC and spoof source IP, but the packet is not reaching br-int. If I give proper source MAC and proper source IP, the packet reaches br-int and things work normal. I observed Openstack stops spoof packets which are not originating from VM instance before reaching br-int (at tap interface).</div>
</div></div></div></div></div></blockquote><div><br></div></div><div>In this case applying security groups won't help at all. Both MAC and IP Spoofing protection is enabled on the hypervisor level by libvirt as part of the instance instantiation. More details here: <a href="http://libvirt.org/firewall.html" target="_blank">http://libvirt.org/firewall.html</a></div>
<div>
<div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div> I need help to send a spoof packet from VM. Is there any way to disable iptable rules.<br>
</div></div></div></div></div></div></blockquote><div><br></div></div><div>There is, but it's global for that compute host - the templates that apply the network filters to protect against spoofing need to be removed.</div>
<div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div></div>
</div>
</div>Also adding security group rules using command line and using dash-board are they same?<br></div></div></div></blockquote><div><br></div></div><div>Yes - almost. I don't know if Horizon's interface to security groups is still going through the nova api in Icehouse. If it is, the application of the rules is only ingress whereas through the neutron CLI you're able to define ingress and egress rules. On the CLU you're also able to be more granular in the application of your rules/groups.</div>
<div><br></div><div>From a use-case standpoint it may be interesting to understand why you need to allow spoofing - if you don't mind, can you describe the purpose? We may be able to help you find an alternative method.</div>
</div></div></div>
<br></div></div><div class="">_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></div></blockquote></div><br></div>
</blockquote></div><br></div>