Skip to content

Instantly share code, notes, and snippets.

@oldpatricka
Created September 14, 2010 21:24
Show Gist options
  • Save oldpatricka/579801 to your computer and use it in GitHub Desktop.
Save oldpatricka/579801 to your computer and use it in GitHub Desktop.
#From http://www.nimbusproject.org/doc/2.5/DHCP-TP1.2.2-draft2.pdf
Xen is integrated heavily with Linux for dom0 operations and has some hooks for adding
and removing iptables rules upon VM creation/destruction. Broadcast packets coming
from a guest virtual interface (we will use vif1.0 in this example) are by default copied to
the whole LAN. To avoid this situation, we investigated using iptables but found that
ebtables offers the most solid solution.
ebtables is a standard Linux package and the kernel support for it is in a default Xen
installation. As with ISC DHCP, installing the userspace tools (/sbin/ebtables) is a one
line command to the package management system.
To avoid copying the DHCP request to the LAN (or to any other local VMs), we
intercept the packet with ebtables before the bridging decision. Any DHCP request is
directed to the correct dom0 interface (see note below on advanced configurations).
Further, because it is already adding ebtables rules, it adds two simple rules for spoofing
protection, making it impossible for a NIC to use a different MAC or IP address than
assigned.
The inspection flows like so:
1. Is the packet coming from a workspace virtual interface?
2. If not, proceed without further processing.
3. If so, is the MAC address incorrect? Drop the packet.
4. Is this is a DHCP packet?
5. If so, allow it to be bridged only to the appropriate interface for the bridge that it
is on. (see note below on advanced configurations). No other interface on the
bridge will see the broadcast packet.
6. If not a DHCP packet, it must have the correct source IP address, otherwise the
packet is dropped.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment