How to disable anti-spoofing mechanism (Especially in DevStack)

asked 2014-04-01 05:46:09 -0500

Gopal gravatar image

updated 2014-04-04 02:46:18 -0500

Environment: Ubuntu 13.10 + DevStack Havana (single node setup).

Need to use a VM as a proxy to examine packets before forwarding them to original destination. Packet will be rerouted to Proxy VM using SDN.

[VM1] --> [Proxy VM] --> [VM2].

However, anti-spoofing rules prevent me to do this. (Did the OpenStack developers not envision that researchers may want to use VMs as proxies? Why did they make it almost impossible to disable the anti-spoofing mechanism?).

Tried the following things:

a) Flushing IPTables ... no go. IPTables shows up as flushed completely. But blockage is still there for spoofed packets.

b) Edited virt/libvirt/ file to set base_filter as nova-vpn (which should not get any anti-spoof filters). Did a reset on q-svc, n-api. But no go.

c) In localrc, file set Q_USE_SECGROUP=False. I now see that IPTables does not have those anti-spoofing rules listed. Still the spoofed packets do not go through.

d) Did a "sudo virsh nwfilter-edit nova-base" and deleted the anti-spoofing lines in the xml file. And also deleted the DROP rules from IPTables (using iptables-save > dump, edit dump, iptables-restore < dump).
Still nothing happened.

What else can I try ?

regards GA

edit retag flag offensive close merge delete


I have the same problem with a pfSense inside my tenant. I need to disable anti-spoofing rule for a particular VM.

salvorapi ( 2014-04-04 02:46:02 -0500 )edit

I have the same issue too :P Did you manage to find a solution ? regards

xnicolle ( 2014-06-12 19:36:56 -0500 )edit