Ask Your Question

How to disable anti-spoofing mechanism (Especially in DevStack)

asked 2014-04-01 05:46:09 -0500

Gopal gravatar image

updated 2014-04-04 02:46:18 -0500

Environment: Ubuntu 13.10 + DevStack Havana (single node setup).

Need to use a VM as a proxy to examine packets before forwarding them to original destination. Packet will be rerouted to Proxy VM using SDN.

[VM1] --> [Proxy VM] --> [VM2].

However, anti-spoofing rules prevent me to do this. (Did the OpenStack developers not envision that researchers may want to use VMs as proxies? Why did they make it almost impossible to disable the anti-spoofing mechanism?).

Tried the following things:

a) Flushing IPTables ... no go. IPTables shows up as flushed completely. But blockage is still there for spoofed packets.

b) Edited virt/libvirt/ file to set base_filter as nova-vpn (which should not get any anti-spoof filters). Did a reset on q-svc, n-api. But no go.

c) In localrc, file set Q_USE_SECGROUP=False. I now see that IPTables does not have those anti-spoofing rules listed. Still the spoofed packets do not go through.

d) Did a "sudo virsh nwfilter-edit nova-base" and deleted the anti-spoofing lines in the xml file. And also deleted the DROP rules from IPTables (using iptables-save > dump, edit dump, iptables-restore < dump).
Still nothing happened.

What else can I try ?

regards GA

edit retag flag offensive close merge delete


I have the same problem with a pfSense inside my tenant. I need to disable anti-spoofing rule for a particular VM.

salvorapi gravatar imagesalvorapi ( 2014-04-04 02:46:02 -0500 )edit

I have the same issue too :P Did you manage to find a solution ? regards

Xavier gravatar imageXavier ( 2014-06-12 19:36:56 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2016-04-13 12:52:28 -0500

Here's your solution: (

You need to change the port configuration in your proxy VM to allow VM1 IPs to transit through VM2 network

I just tested it.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-04-01 05:46:09 -0500

Seen: 1,726 times

Last updated: Apr 04 '14