[Pkg-xen-devel] Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh

Sebastian Piecha sebastian at piecha.net
Tue Nov 6 21:30:35 GMT 2018 

The patch file has a little bug as I commented out the else branch in
the last if section. Now it works again...


--- vif-common.sh    2018-11-02 17:13:30.813238234 +0100

+++ vif-common.sh.new    2018-11-06 22:24:45.331845798 +0100
@@ -124,15 +124,30 @@
 {
   if [ "$command" == "online" -o "$command" == "add" ]
   then
-    local c="-I"
+###    local c="-I"
+    local ci="-I"
+    local ca="-A"
   else
-    local c="-D"
+###    local c="-D"
+    local ci="-D"
+    local ca="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in
"$dev" \
-    "$@" -j ACCEPT 2>/dev/null &&
-  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out
"$dev" \
-    -j ACCEPT 2>/dev/null
+### entfernt, da Antispoofing-Regel nicht funktioniert
+###  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in
"$dev" \
+###    "$@" -j ACCEPT 2>/dev/null &&
+### entfernt, da Antispoofing-Regel nicht funktioniert
+###  iptables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-out "$dev" \
+###    -j ACCEPT 2>/dev/null
+### neue Antispoofing-Regeln
+  iptables "$ca" domu -m physdev --physdev-is-bridged --physdev-out
"$dev" \
+    -p all -d "$2" -j ACCEPT 2>/dev/null &&
+  iptables "$ca" domu -m physdev --physdev-is-bridged --physdev-in "$dev" \
+    -p all -s "$2" -j ACCEPT 2>/dev/null &&
+  iptables "$ci" domu -m physdev --physdev-is-bridged --physdev-out
"$dev" \
+    -p all ! -d "$2" -j DROP 2>/dev/null &&
+  iptables "$ci" domu -m physdev --physdev-is-bridged --physdev-in "$dev" \
+    -p all ! -s "$2" -j DROP 2>/dev/null
 
   if [ \( "$command" == "online" -o "$command" == "add" \) -a $? -ne 0 ]
   then
@@ -170,10 +185,14 @@
       done
 
       # Always allow the domain to talk to a DHCP server.
-      frob_iptable -p udp --sport 68 --dport 67
+### entfernt, da DomUs kein DHCP benötigen, IP@ fix
+###      frob_iptable -p udp --sport 68 --dport 67
   else
       # No IP addresses have been specified, so allow anything.
-      frob_iptable
+      # needs revision, currently not covered by iptables rules in
frob_iptable,
+      # therefore commented out
+      # frob_iptable
+      true
   fi
 
   release_lock "iptables"

More information about the Pkg-xen-devel mailing list