4

How can I properly add basic network filters (clean-traffic or, at least, ip-spoofing prevention) to XEN (xend) guests managed by libvirt?

Or, in particular, can I manually execute libvirt's nwfilters from a script (for given parameters)?

I am using libvirt's network to create the bridge (default, bridge virbr0), but, apparently, the xen's vif-bridge script is used to initialize the virtualized system's networking, and libvirt drops nwfilter definitions in domain's xml (probably because it is converted to xen's native config).

HoverHell
  • 391
  • 3
  • 11
  • I've run into the same problem – did you find any solution? – Creshal Jun 19 '13 at 14:27
  • No, it appears that the only solution is to write the iptables/ebtables security filtering manually. – HoverHell Jun 19 '13 at 17:44
  • Which XEN-version and which linux distribution/version? – Nils Jun 20 '13 at 11:37
  • Debian stable, i.e. xen 4.1.4, libvirt 0.9.12. – HoverHell Jun 20 '13 at 14:45
  • I should note, what I was hoping for is a way to invoke libvirt's filter addition/removal/reconfigure from the commandline; there doesn't seem to be a way, but it is also _possible_ that someone familiar with libvirt's innards could implement that relatively easily. – HoverHell Jun 23 '13 at 17:52
  • Thanks for asking the question. I've spent the last hour trying to get libvirt nwfilter stuff working, figuring that since it was all iptables stuff, it would just work despite Xen being second-class. Good to know it doesn't! – William Pietri Jan 19 '14 at 20:20

1 Answers1

0

I've also looked into that subject. Here is what Xen 4.x can offer, although it is not well documented and illustrated with sample scripts.

xend-config.sxp - Xen daemon configuration file

vif-script The name of the script in /etc/xen/scripts that will be run to setup a virtual interface when it is created or destroyed. This needs to (in general) work in unison with the network-script.

You may override global vif-script by using script keyword inside a vif option value of any guest configuration.

XL Network Configuration

script Specifies the hotplug script to run to configure this device (e.g. to add it to the relevant bridge). Defaults to XEN_SCRIPT_DIR/vif-bridge but can be set to any script. Some example scripts are installed in XEN_SCRIPT_DIR.

For most Linux systems substitute XEN_SCRIPT_DIR with /etc/xen/scripts.

There is also at least one more specific solution in the following Xen-users mailing list discussion: preventing Hwaddr spoofing on bridge

Dopamine
  • 176
  • 1
  • 8