← Back to team overview

openstack team mailing list archive

intentionally allow ip "spoofing"?

 

Hi folks,

(Resending, since I did something wrong with the subject last time...)

I wonder if there is a way to intentionally allow ip "spoofing" for certain
VMs...

The use case is the following. We have two DCs, both have openstack
deployed. One tenant lives on both DCs, say 10.0.0.0/24 in DC1 and
10.0.1.0/24 in DC2.

Now the tenant wants the VMs in two DCs to talk to each other with private
IPs... The way I am trying to achieve this is to run OpenSwan in one VM on
each side, build an IPSEC tunnel enabling lan2lan.

But, this requires: 1) all VMs add a static route, routing packets to the
other site to the local openswan box; 2) the openswan box can send out
packets with src IP other than itself.

1) is easy to solve, but I am stuck on 2)...

I found that there is a filterref in libvirt.xml in every VM:
      <filterref filter="nova-instance-instance-00000007-fa163e254a1b">
        <parameter name="IP" value="10.0.104.3"/>
        <parameter name="DHCPSERVER" value="10.0.104.1"/>
        <parameter name="PROJNET" value="10.0.104.0"/>
        <parameter name="PROJMASK" value="255.255.255.0"/>
      </filterref>

which I believe is dropping outgoing packets that don't src from 10.0.104.3.

I removed that "IP" parameter, and added "CTRL_IP_LEARNING"="dhcp", but
cloud-init no longer works...

Any ideas?

Thanks.
 -Simon