xchenum at gmail
Jul 19, 2012, 12:01 PM
Post #1 of 1
intentionally allow ip "spoofing"?
(Resending, since I did something wrong with the subject last time...)
I wonder if there is a way to intentionally allow ip "spoofing" for certain
The use case is the following. We have two DCs, both have openstack
deployed. One tenant lives on both DCs, say 10.0.0.0/24 in DC1 and
10.0.1.0/24 in DC2.
Now the tenant wants the VMs in two DCs to talk to each other with private
IPs... The way I am trying to achieve this is to run OpenSwan in one VM on
each side, build an IPSEC tunnel enabling lan2lan.
But, this requires: 1) all VMs add a static route, routing packets to the
other site to the local openswan box; 2) the openswan box can send out
packets with src IP other than itself.
1) is easy to solve, but I am stuck on 2)...
I found that there is a filterref in libvirt.xml in every VM:
<parameter name="IP" value="10.0.104.3"/>
<parameter name="DHCPSERVER" value="10.0.104.1"/>
<parameter name="PROJNET" value="10.0.104.0"/>
<parameter name="PROJMASK" value="255.255.255.0"/>
which I believe is dropping outgoing packets that don't src from 10.0.104.3.
I removed that "IP" parameter, and added "CTRL_IP_LEARNING"="dhcp", but
cloud-init no longer works...