2:01 p.m.
On 10/12/2011 03:50 PM, David L Stevens wrote:
[...]
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 23fd753..84aaa3c 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -3,12 +3,16 @@
FILTERS = \
allow-arp.xml \
+ allow-arpip.xml \
+ allow-arpmac.xml \
allow-dhcp-server.xml \
allow-dhcp.xml \
allow-incoming-ipv4.xml \
allow-ipv4.xml \
clean-traffic.xml \
no-arp-spoofing.xml \
+ no-arpmac-spoofing.xml \
+ no-arpip-spoofing.xml \
no-ip-multicast.xml \
no-ip-spoofing.xml \
no-mac-broadcast.xml \
diff --git a/examples/xml/nwfilter/allow-arp.xml b/examples/xml/nwfilter/allow-arp.xml
index 63a92b2..6271ae4 100644
--- a/examples/xml/nwfilter/allow-arp.xml
+++ b/examples/xml/nwfilter/allow-arp.xml
@@ -1,3 +1,4 @@
-<filter name='allow-arp' chain='arp'>
-<rule direction='inout' action='accept'/>
+<filter name='allow-arp' chain='arpmac'>
+<filterref filter='allow-arpmac.xml'/>
+<filterref filter='allow-arpip.xml'/>
</filter>
So the intention here was to remove the 'arp' chain. With
it staying now
I suppose this patch and the allow-arpmac and allow-arpip aren't needed.
diff --git a/examples/xml/nwfilter/allow-arpip.xml
b/examples/xml/nwfilter/allow-arpip.xml
new file mode 100644
index 0000000..6ddb6fe
--- /dev/null
+++ b/examples/xml/nwfilter/allow-arpip.xml
@@ -0,0 +1,3 @@
+<filter name='allow-arpip' chain='arpip'>
+<rule direction='inout' action='accept'/>
+</filter>
Seems no necessary following above.
diff --git a/examples/xml/nwfilter/allow-arpmac.xml
b/examples/xml/nwfilter/allow-arpmac.xml
new file mode 100644
index 0000000..54f6714
--- /dev/null
+++ b/examples/xml/nwfilter/allow-arpmac.xml
@@ -0,0 +1,3 @@
+<filter name='allow-arpmac' chain='arpmac'>
+<rule direction='inout' action='accept'/>
+</filter>
Seems not necessary following above.
diff --git a/examples/xml/nwfilter/clean-traffic.xml
b/examples/xml/nwfilter/clean-traffic.xml
index 40f0ecb..9cee799 100644
--- a/examples/xml/nwfilter/clean-traffic.xml
+++ b/examples/xml/nwfilter/clean-traffic.xml
@@ -11,10 +11,10 @@
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
-<!-- preventing any other traffic than IPv4 and ARP -->
-<filterref filter='no-other-l2-traffic'/>
-
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
+<!-- preventing any other traffic than IPv4 and ARP -->
+<filterref filter='no-other-l2-traffic'/>
+
</filter>
This reshuffeling might make it more intuitive but isn't
necessary.
In the meantime I took some of the hunks here and build a parallel set
of filters (clean-traffic-new). I'll post that series soon. I am not
sure whether we want to have a parallel set in the end, though.
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml
b/examples/xml/nwfilter/no-arp-spoofing.xml
index 3c83acd..1979b20 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -1,17 +1,4 @@
-<filter name='no-arp-spoofing' chain='arp'>
-<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
-<rule action='drop' direction='out' priority='300'>
-<mac match='no' srcmacaddr='$MAC'/>
-</rule>
-
-<!-- no arp spoofing -->
-<!-- drop if ipaddr or macaddr does not belong to guest -->
-<rule action='drop' direction='out' priority='350'>
-<arp match='no' arpsrcmacaddr='$MAC'/>
-</rule>
-<rule action='drop' direction='out' priority='400'>
-<arp match='no' arpsrcipaddr='$IP' />
-</rule>
-<!-- allow everything else -->
-<rule action='accept' direction='in' priority='425' />
+<filter name='no-arp-spoofing'>
+<filterref filter='no-arpmac-spoofing' />
+<filterref filter='no-arpip-spoofing' />
</filter>
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml
b/examples/xml/nwfilter/no-arpip-spoofing.xml
new file mode 100644
index 0000000..ee42d40
--- /dev/null
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -0,0 +1,12 @@
+<filter name='no-arpip-spoofing' chain='arpip'>
+<!-- no arp spoofing -->
+<!-- drop if ipaddr does not belong to guest -->
+<rule action='return' direction='out' priority='400'>
+<arp match='yes' arpsrcipaddr='$IP' />
+</rule>
+<rule action='return' direction='out' priority='410'>
+<arp match='yes' arpsrcipaddr='0.0.0.0' />
+</rule>
Under what circumstances is the stack allowed to send a 0.0.0.0 as a
response to an ARP request (presumably)? Form what I see 0.0.0.0 could
be any machine whose interface is not configured. At least when using
DHCP the VM would broadcast the request without prior sending of an ARP
request (of course) and from what I remember the DHCP server then sends
the response back to the MAC address it has received the request from
also without ARP request.
+<!-- drop everything else -->
+<rule action='drop' direction='out' priority='1000' />
+</filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml
b/examples/xml/nwfilter/no-arpmac-spoofing.xml
new file mode 100644
index 0000000..90499d3
--- /dev/null
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -0,0 +1,7 @@
+<filter name='no-arpmac-spoofing' chain='arpmac'>
+<rule action='return' direction='out' priority='350'>
+<arp match='yes' arpsrcmacaddr='$MAC'/>
+</rule>
+<!-- drop everything else -->
+<rule action='drop' direction='out' priority='1000' />
+</filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml
b/examples/xml/nwfilter/no-ip-spoofing.xml
index b8c94c8..84e8a5e 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -1,7 +1,9 @@
<filter name='no-ip-spoofing' chain='ipv4'>
<!-- drop if srcipaddr is not the IP address of the guest -->
-<rule action='drop' direction='out'>
-<ip match='no' srcipaddr='$IP' />
+<rule action='return' direction='out'>
+<ip match='yes' srcipaddr='$IP' />
</rule>
+<!-- drop any that don't match the source IP list -->
+<rule action='drop' direction='out' />
</filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml
b/examples/xml/nwfilter/no-mac-spoofing.xml
index f210623..aee56c7 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -1,5 +1,9 @@
-<filter name='no-mac-spoofing' chain='ipv4'>
-<rule action='drop' direction='out' priority='10'>
-<mac match='no' srcmacaddr='$MAC' />
-</rule>
+<filter name='no-mac-spoofing' chain='mac'>
+<!-- no mac spoofing -->
+<!-- drop if macaddr does not belong to guest -->
+<rule action='return' direction='out' priority='350'>
+<mac match='yes' srcmacaddr='$MAC'/>
+</rule>
+<!-- drop everything else -->
+<rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-other-l2-traffic.xml
b/examples/xml/nwfilter/no-other-l2-traffic.xml
index 8bad86e..0501b1a 100644
--- a/examples/xml/nwfilter/no-other-l2-traffic.xml
+++ b/examples/xml/nwfilter/no-other-l2-traffic.xml
@@ -1,7 +1,12 @@
-<filter name='no-other-l2-traffic'>
+<filter name='no-other-l2-traffic' chain='root'>
-<!-- drop all other l2 traffic than for which rules have been
- written for; i.e., drop all other than arp and ipv4 traffic -->
-<rule action='drop' direction='inout' priority='1000'/>
+<!-- drop all other than arp and ipv4 traffic -->
+<rule action='accept' direction='inout'>
+<mac protocolid='0x800' />
+</rule>
+<rule action='accept' direction='inout'>
+<mac protocolid='0x806' />
+</rule>
+<rule action='drop' direction='inout' priority='1000' />
With the pending patches, this one looks a little different now.
Stefan