Hi,
IP aliases in networks with IP Spoofing Protection enabled don’t work reliably, 99% of the time they don’t work, then for some inexplicable reason a migration or addition/deletion of ip alias causes them to work.
Quite similar to this issue: IP spoofing not working, hijacking possible except this is a 802.1Q
We’ve tracked this down to the IP spoofing as we could see ICMP echo + reply in the VM, we could see echo + reply on the bridge, but we only saw the echo on the physical NIC VLAN.
If I manually add the alias IPs to the ipset:
ipset add one-28-0-ip-spoofing 172.16.8.197
Then the IP alias will function.
There’s nothing else writing rules in to iptables either and ebtables is empty.
Any help is greatly appreciated as this was working and somehow has managed to stop
Version: 6.0.0
HV OS: CentOS7
VM OS: CentOS7 Marketplace Template (Ubuntu Marketplace is the same, as is Windows)
VM NIC Config
NIC = [
ALIAS_IDS = "1",
AR_ID = "0",
BRIDGE = "Shared",
BRIDGE_TYPE = "linux",
CLUSTER_ID = "0",
FILTER_IP_SPOOFING = "YES",
FILTER_MAC_SPOOFING = "YES",
GATEWAY = "172.16.8.193",
IP = "172.16.8.196",
MAC = "02:00:55:76:ff:c4",
NAME = "NIC0",
NETWORK = "Shared (Nebula01)",
NETWORK_ID = "0",
NIC_ID = "0",
PHYDEV = "Public",
SECURITY_GROUPS = "0",
TARGET = "one-28-0",
VLAN_ID = "505",
VN_MAD = "802.1Q" ]
NIC_ALIAS = [
ALIAS_ID = "0",
AR_ID = "0",
BRIDGE = "Shared",
BRIDGE_TYPE = "linux",
CLUSTER_ID = "0",
FILTER_IP_SPOOFING = "YES",
FILTER_MAC_SPOOFING = "YES",
GATEWAY = "172.16.8.193",
IP = "172.16.8.197",
MAC = "02:00:55:76:ff:c5",
NAME = "NIC0_ALIAS1",
NETWORK = "Shared (Nebula01)",
NETWORK_ID = "0",
NETWORK_UNAME = "oneadmin",
NIC_ID = "1",
PARENT = "NIC0",
PARENT_ID = "0",
PHYDEV = "Public",
SECURITY_GROUPS = "0",
TARGET = "one-28-1",
VLAN_ID = "505",
VN_MAD = "802.1Q" ]
onevnet show 0 -x
<VNET> <ID>0</ID> <UID>0</UID> <GID>0</GID> <UNAME>oneadmin</UNAME> <GNAME>oneadmin</GNAME> <NAME>Shared (Nebula01)</NAME> <PERMISSIONS> <OWNER_U>1</OWNER_U> <OWNER_M>1</OWNER_M> <OWNER_A>0</OWNER_A> <GROUP_U>0</GROUP_U> <GROUP_M>0</GROUP_M> <GROUP_A>0</GROUP_A> <OTHER_U>0</OTHER_U> <OTHER_M>0</OTHER_M> <OTHER_A>0</OTHER_A> </PERMISSIONS> <CLUSTERS> <ID>0</ID> </CLUSTERS> <BRIDGE><![CDATA[Shared]]></BRIDGE> <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE> <PARENT_NETWORK_ID/> <VN_MAD><![CDATA[802.1Q]]></VN_MAD> <PHYDEV><![CDATA[Public]]></PHYDEV> <VLAN_ID><![CDATA[505]]></VLAN_ID> <OUTER_VLAN_ID/> <VLAN_ID_AUTOMATIC>0</VLAN_ID_AUTOMATIC> <OUTER_VLAN_ID_AUTOMATIC>0</OUTER_VLAN_ID_AUTOMATIC> <USED_LEASES>6</USED_LEASES> <VROUTERS/> <TEMPLATE> <BRIDGE><![CDATA[Shared]]></BRIDGE> <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE> <DNS><![CDATA[8.8.8.8 8.8.4.4]]></DNS> <FILTER_IP_SPOOFING><![CDATA[YES]]></FILTER_IP_SPOOFING> <FILTER_MAC_SPOOFING><![CDATA[YES]]></FILTER_MAC_SPOOFING> <GATEWAY><![CDATA[172.16.8.193]]></GATEWAY> <NETWORK_ADDRESS><![CDATA[172.16.8.192]]></NETWORK_ADDRESS> <NETWORK_MASK><![CDATA[255.255.255.224]]></NETWORK_MASK> <OUTER_VLAN_ID><![CDATA[]]></OUTER_VLAN_ID> <PHYDEV><![CDATA[Public]]></PHYDEV> <SECURITY_GROUPS><![CDATA[0]]></SECURITY_GROUPS> <VLAN_ID><![CDATA[505]]></VLAN_ID> <VN_MAD><![CDATA[802.1Q]]></VN_MAD> </TEMPLATE> <AR_POOL> <AR> <AR_ID><![CDATA[0]]></AR_ID> <IP><![CDATA[172.16.8.194]]></IP> <MAC><![CDATA[02:00:55:76:ff:c2]]></MAC> <SIZE><![CDATA[30]]></SIZE> <TYPE><![CDATA[IP4]]></TYPE> <MAC_END><![CDATA[02:00:55:76:ff:df]]></MAC_END> <IP_END><![CDATA[172.16.8.223]]></IP_END> <USED_LEASES>2</USED_LEASES> <LEASES> <LEASE> <IP><![CDATA[172.16.8.196]]></IP> <MAC><![CDATA[02:00:55:76:ff:c4]]></MAC> <VM><![CDATA[28]]></VM> </LEASE> <LEASE> <IP><![CDATA[172.16.8.197]]></IP> <MAC><![CDATA[02:00:55:76:ff:c5]]></MAC> <VM><![CDATA[28]]></VM> </LEASE> </LEASES> </AR> </AR_POOL> </VNET>
iptables-save
-A one-28-0-i -m state --state RELATED,ESTABLISHED -j RETURN
-A one-28-0-i -j RETURN
-A one-28-0-i -j DROP
-A one-28-0-o -m mac ! --mac-source 02:00:55:76:FF:C4 -j DROP
-A one-28-0-o -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A one-28-0-o -m set ! --match-set one-28-0-ip-spoofing src -j DROP
-A one-28-0-o -m state --state RELATED,ESTABLISHED -j RETURN
-A one-28-0-o -j RETURN
-A one-28-0-o -j DROP
-A opennebula -m physdev --physdev-in one-28-0 --physdev-is-bridged -j one-28-0-o
-A opennebula -m physdev --physdev-out one-28-0 --physdev-is-bridged -j one-28-0-i
ipset list
Name: one-28-0-ip-spoofing
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 168
References: 1
Number of entries: 1
Members:
172.16.8.196