Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenStack: Dev

intentionally allow ip "spoofing"?

 

 

OpenStack dev RSS feed   Index | Next | Previous | View Threaded


xchenum at gmail

Jul 19, 2012, 12:01 PM

Post #1 of 1 (123 views)
Permalink
intentionally allow ip "spoofing"?

Hi folks,

(Resending, since I did something wrong with the subject last time...)

I wonder if there is a way to intentionally allow ip "spoofing" for certain
VMs...

The use case is the following. We have two DCs, both have openstack
deployed. One tenant lives on both DCs, say 10.0.0.0/24 in DC1 and
10.0.1.0/24 in DC2.

Now the tenant wants the VMs in two DCs to talk to each other with private
IPs... The way I am trying to achieve this is to run OpenSwan in one VM on
each side, build an IPSEC tunnel enabling lan2lan.

But, this requires: 1) all VMs add a static route, routing packets to the
other site to the local openswan box; 2) the openswan box can send out
packets with src IP other than itself.

1) is easy to solve, but I am stuck on 2)...

I found that there is a filterref in libvirt.xml in every VM:
<filterref filter="nova-instance-instance-00000007-fa163e254a1b">
<parameter name="IP" value="10.0.104.3"/>
<parameter name="DHCPSERVER" value="10.0.104.1"/>
<parameter name="PROJNET" value="10.0.104.0"/>
<parameter name="PROJMASK" value="255.255.255.0"/>
</filterref>

which I believe is dropping outgoing packets that don't src from 10.0.104.3.

I removed that "IP" parameter, and added "CTRL_IP_LEARNING"="dhcp", but
cloud-init no longer works...

Any ideas?

Thanks.
-Simon

OpenStack dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.