[Openstack-operators] Help on Iptables in Openstack
anjaneya2 at gmail.com
Mon Apr 14 15:47:50 UTC 2014
I have figured some way to allow ip spoofing by using Q_USE_SECGROUP
= false and changing nova-base.xml file. But I am still struggling to
send spoof packets to my router VM. I see my packet is getting blocked
at qbr bridge between OVS and VM. Could you please help me, how do I
prevent these ebtable rules at qbr bridge to get applied to my packets
or how do i stop these ebtables applied at qbr (bridge).
On Tue, Apr 1, 2014 at 3:42 PM, shiva m <anjaneya2 at gmail.com> wrote:
> Thank you for response. I am running routing application on one of my
> VM, I have 3 VMs and my routing application is running on VM2. If I ping
> VM1 to VM3, I want my application to capture the packet and do some
> analysis like what kind of packet?is it secure? and just forward it to
> VM3 without any modifications. I started with simple test case to implement
> a router application but I stuck with anti-spoofing mechanism of
> openstack. I understand libvirt apply anti-spoofing security and I am
> trying 'virsh nwfilter' comands to change filter rules. You have mentioned
> that it is possible to disable iptable rules globally for compute host,
> can you please help me how can I disable iptables globally? and what
> services needs to be re-started?. Can anyone please outline me the steps
> required to allow spoofing?
> Looking forward for your reply.
> On Tue, Apr 1, 2014 at 12:44 PM, Jesse Pretorius <
> jesse.pretorius at gmail.com> wrote:
>> On 1 April 2014 08:04, shiva m <anjaneya2 at gmail.com> wrote:
>>> Thank you for response. I tried adding security-groups from dashboard,
>>> but it doesnt help. I was trying to spoof a VM instance with spoof source
>>> MAC and spoof source IP, but the packet is not reaching br-int. If I
>>> give proper source MAC and proper source IP, the packet reaches br-int
>>> and things work normal. I observed Openstack stops spoof packets which
>>> are not originating from VM instance before reaching br-int (at tap
>> In this case applying security groups won't help at all. Both MAC and IP
>> Spoofing protection is enabled on the hypervisor level by libvirt as part
>> of the instance instantiation. More details here:
>>> I need help to send a spoof packet from VM. Is there any way to disable
>>> iptable rules.
>> There is, but it's global for that compute host - the templates that
>> apply the network filters to protect against spoofing need to be removed.
>>> Also adding security group rules using command line and using
>>> dash-board are they same?
>> Yes - almost. I don't know if Horizon's interface to security groups is
>> still going through the nova api in Icehouse. If it is, the application of
>> the rules is only ingress whereas through the neutron CLI you're able to
>> define ingress and egress rules. On the CLU you're also able to be more
>> granular in the application of your rules/groups.
>> From a use-case standpoint it may be interesting to understand why you
>> need to allow spoofing - if you don't mind, can you describe the purpose?
>> We may be able to help you find an alternative method.
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators