10:12 a.m.
With new filters borrowed from David Steven's submission:
A set of new filters to handle multiple IP addresses and MAC addresses
per interface. The alternative would be to replace some of the existing
ones with these here.
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
examples/xml/nwfilter/Makefile.am | 6 +++++
examples/xml/nwfilter/clean-traffic-new.xml | 29 ++++++++++++++++++++++++++
examples/xml/nwfilter/no-arp-spoofing-new.xml | 4 +++
examples/xml/nwfilter/no-arpip-spoofing.xml | 12 ++++++++++
examples/xml/nwfilter/no-arpmac-spoofing.xml | 8 +++++++
examples/xml/nwfilter/no-ip-spoofing-new.xml | 5 ++++
examples/xml/nwfilter/no-mac-spoofing-new.xml | 10 ++++++++
7 files changed, 74 insertions(+)
Index: libvirt-acl/examples/xml/nwfilter/Makefile.am
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/Makefile.am
+++ libvirt-acl/examples/xml/nwfilter/Makefile.am
@@ -8,11 +8,17 @@ FILTERS = \
allow-incoming-ipv4.xml \
allow-ipv4.xml \
clean-traffic.xml \
+ clean-traffic-new.xml \
no-arp-spoofing.xml \
+ no-arp-spoofing-new.xml \
+ no-arpip-spoofing.xml \
+ no-arpmac-spoofing.xml \
no-ip-multicast.xml \
no-ip-spoofing.xml \
+ no-ip-spoofing-new.xml \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
+ no-mac-spoofing-new.xml \
no-other-l2-traffic.xml \
no-other-rarp-traffic.xml \
qemu-announce-self.xml \
Index: libvirt-acl/examples/xml/nwfilter/no-arpip-spoofing.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -0,0 +1,12 @@
+<filter name='no-arpip-spoofing' chain='arpip'
priority='-510'>
+ <!-- no arp spoofing -->
+ <!-- drop if ipaddr does not belong to guest -->
+ <rule action='return' direction='out' priority='400' >
+ <arp match='yes' arpsrcipaddr='$IP' />
+ </rule>
+ <rule action='return' direction='out' priority='410' >
+ <arp match='yes' arpsrcipaddr='0.0.0.0' />
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-arpmac-spoofing.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -0,0 +1,8 @@
+<filter name='no-arpmac-spoofing' chain='arpmac'
priority='-510'>
+ <rule action='return' direction='out' priority='350' >
+ <arp match='yes' arpsrcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
+
Index: libvirt-acl/examples/xml/nwfilter/clean-traffic-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/clean-traffic-new.xml
@@ -0,0 +1,29 @@
+<filter name='clean-traffic-new' chain='root'>
+ <!-- An example of a traffic filter enforcing clean traffic
+ from a VM by
+ - preventing MAC spoofing -->
+ <filterref filter='no-mac-spoofing-new'/>
+
+ <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+ <filterref filter='no-ip-spoofing-new'/>
+
+ <rule direction='out' action='accept' priority='-750'>
+ <mac protocolid='ipv4'/>
+ </rule>
+
+ <filterref filter='allow-incoming-ipv4'/>
+
+ <!-- preventing ARP spoofing/poisoning -->
+ <filterref filter='no-arp-spoofing-new'/>
+
+ <rule direction='out' action='accept' priority='-550'>
+ <mac protocolid='arp'/>
+ </rule>
+
+ <!-- preventing any other traffic than IPv4 and ARP -->
+ <filterref filter='no-other-l2-traffic'/>
+
+ <!-- allow qemu to send a self-announce upon migration end -->
+ <filterref filter='qemu-announce-self'/>
+
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing-new.xml
@@ -0,0 +1,4 @@
+<filter name='no-arp-spoofing-new'>
+ <filterref filter='no-arpmac-spoofing'/>
+ <filterref filter='no-arpip-spoofing'/>
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-mac-spoofing-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-mac-spoofing-new.xml
@@ -0,0 +1,10 @@
+<filter name='no-mac-spoofing-new' chain='mac'
priority='-800'>
+ <!-- return packets with VM's MAC address as source address -->
+ <rule direction='out' action='return'>
+ <mac srcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule direction='out' action='drop'>
+ <mac/>
+ </rule>
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing-new.xml
@@ -0,0 +1,5 @@
+<filter name='no-ip-spoofing-new' chain='ipv4-ip'
priority='-710'>
+ <rule direction='out' action='return'>
+ <ip match='yes' srcipaddr='$IP'/>
+ </rule>
+</filter>