Commit 96b69455 authored by Leigh Stoller's avatar Leigh Stoller

Use the XEN "antispoofing" option, which adds a couple of

rules to ensure that the guest cannot change their assigned IP.
parent 57741504
......@@ -118,10 +118,16 @@ sub Online()
"--physdev-out $outer_controlif -j DROP");
return -1
if ($?);
mysystem2("$IPTABLES -A FORWARD -m physdev --physdev-in $vif -j ACCEPT");
return -1
if ($?);
#
# We ask vif-bridge to turn on antispoofing; this rule would negate that.
#
if (0) {
mysystem2("$IPTABLES -A FORWARD -m physdev ".
"--physdev-in $vif -j ACCEPT");
return -1
if ($?);
}
# Start a tmcc proxy (handles both TCP and UDP)
my $tmccpid = fork();
......@@ -162,10 +168,15 @@ sub Online()
#
# GROSS! source-nat all traffic destined the fs node, to come from the
# vnode host, so that NFS mounts work. We do this for non-shared nodes.
# Shared nodes do the mounts normally from inside the guest. Maybe this
# distinction is pointless, but it lowers the number of exported mounts
# on the file server.
#
# Shared nodes do the mounts normally from inside the guest. The reason
# for this distinction is that on a shared host, we ask vif-bridge to
# turn on antispoofing so that the guest cannot use an IP address other
# then what we assign. On a non-shared node, the user can log into the
# physical host and pick any IP they want, but as long as the NFS server
# is exporting only to the physical IP, they won't be able to mount
# any directories outside their project. The NFS server *does* export
# filesystems to the guest IPs if the guest is on a shared host.
#
if (!SHAREDHOST()) {
mysystem2("$IPTABLES -t nat -A POSTROUTING -j SNAT ".
" --to-source $host_ip -s $vnode_ip --destination $fs_ip ".
......@@ -183,7 +194,12 @@ sub Offline()
"--pkt-type broadcast " .
"-m physdev --physdev-in $vif --physdev-is-bridged ".
"--physdev-out $outer_controlif -j DROP");
mysystem2("$IPTABLES -D FORWARD -m physdev --physdev-in $vif -j ACCEPT");
# See above.
if (0) {
mysystem2("$IPTABLES -D FORWARD -m physdev ".
"--physdev-in $vif -j ACCEPT");
}
# tmcc
# Reroute tmcd calls to the proxy on the physical host
......
......@@ -112,6 +112,7 @@ my $MODPROBE = "/sbin/modprobe";
my $DHCPCONF_FILE = "/etc/dhcpd.conf";
my $NEW_DHCPCONF_FILE = "/etc/dhcp/dhcpd.conf";
my $RESTOREVM = "$BINDIR/restorevm.pl";
my $IPTABLES = "/sbin/iptables";
my $debug = 0;
......@@ -280,6 +281,16 @@ sub rootPreConfig()
mysystem("route add default gw $cnet_gw");
}
#
# We use xen's antispoofing when constructing the guest control net
# interfaces. This is most useful on a shared host, but no harm
# in doing it all the time.
#
mysystem("$IPTABLES -P FORWARD DROP");
mysystem("$IPTABLES -F FORWARD");
mysystem("$IPTABLES -A FORWARD ".
"-m physdev --physdev-in $cnet_iface -j ACCEPT");
#
# Ensure that LVM is loaded in the kernel and ready.
#
......@@ -534,6 +545,7 @@ sub vnodeCreate($$$$)
fatal("xen_vnodeCreate: Could not restore disk info from $conf");
}
$private->{'disks'} = $disks;
TBScriptUnlock();
goto done;
}
......@@ -808,6 +820,7 @@ sub vnodePreConfigControlNetwork($$$$$$$$$$$$)
$vninfo->{'cnet'}->{'mac'} = $fmac;
$vninfo->{'cnet'}->{'bridge'} = $cbridge;
$vninfo->{'cnet'}->{'script'} = $cscript;
$vninfo->{'cnet'}->{'ip'} = $ip;
# Create a network config script for the interface
my $stuff = {'name' => $vnode_id,
......@@ -850,6 +863,8 @@ sub vnodePreConfigExpNetwork($$$$)
# Build up a config file line for all interfaces, starting with cnet
my $vifstr = "vif = ['" .
"mac=" . $vninfo->{'cnet'}->{'mac'} . ", " .
# This tells vif-bridge to use antispoofing iptable rules.
"ip=" . $vninfo->{'cnet'}->{'ip'} . ", " .
"bridge=" . $vninfo->{'cnet'}->{'bridge'} . ", " .
"script=" . $vninfo->{'cnet'}->{'script'} . "'";
......@@ -1847,7 +1862,7 @@ sub createExpNetworkScript($$$$$)
}
push(@cmds,
"$TC qdisc add dev $iface handle $pipe10 parent $pipe20:1 ".
"netem drop $plr delay ${delay}us\n");
"netem drop $plr delay ${delay}us");
}
else {
push(@cmds,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment