[libvirt] [PATCH] nwfilter: Update of filters to handle multiple IP addresses
With fragments borrowed from David Steven's previous submission and some further modifications: A set of modifications to existing filters to handle multiple IP addresses (and MAC addresses) per interface. Also: - enable DHCP traffic from VM to any DHCP server - will require an update to a libvirt-tck data file Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- examples/xml/nwfilter/Makefile.am | 2 + examples/xml/nwfilter/clean-traffic.xml | 12 +++++++- examples/xml/nwfilter/no-arp-ip-spoofing.xml | 9 ++++++ examples/xml/nwfilter/no-arp-mac-spoofing.xml | 7 ++++ examples/xml/nwfilter/no-arp-spoofing.xml | 38 ++------------------------ examples/xml/nwfilter/no-ip-spoofing.xml | 17 ++++++++--- examples/xml/nwfilter/no-mac-spoofing.xml | 11 +++++-- 7 files changed, 52 insertions(+), 44 deletions(-) Index: libvirt-acl/examples/xml/nwfilter/Makefile.am =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/Makefile.am +++ libvirt-acl/examples/xml/nwfilter/Makefile.am @@ -9,6 +9,8 @@ FILTERS = \ allow-ipv4.xml \ clean-traffic.xml \ no-arp-spoofing.xml \ + no-arp-ip-spoofing.xml \ + no-arp-mac-spoofing.xml \ no-ip-multicast.xml \ no-ip-spoofing.xml \ no-mac-broadcast.xml \ Index: libvirt-acl/examples/xml/nwfilter/no-arp-ip-spoofing.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-arp-ip-spoofing.xml @@ -0,0 +1,9 @@ +<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'> + <!-- no arp spoofing --> + <!-- drop if ipaddr does not belong to guest --> + <rule action='return' direction='out' priority='400' > + <arp match='yes' arpsrcipaddr='$IP' /> + </rule> + <!-- drop everything else --> + <rule action='drop' direction='out' priority='1000' /> +</filter> Index: libvirt-acl/examples/xml/nwfilter/no-arp-mac-spoofing.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-arp-mac-spoofing.xml @@ -0,0 +1,7 @@ +<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'> + <rule action='return' direction='out' priority='350' > + <arp match='yes' arpsrcmacaddr='$MAC'/> + </rule> + <!-- drop everything else --> + <rule action='drop' direction='out' priority='1000' /> +</filter> Index: libvirt-acl/examples/xml/nwfilter/clean-traffic.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/clean-traffic.xml +++ libvirt-acl/examples/xml/nwfilter/clean-traffic.xml @@ -1,4 +1,4 @@ -<filter name='clean-traffic'> +<filter name='clean-traffic' chain='root'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> @@ -6,11 +6,21 @@ <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming --> <filterref filter='no-ip-spoofing'/> + + <rule direction='out' action='accept' priority='-650'> + <mac protocolid='ipv4'/> + </rule> + <filterref filter='allow-incoming-ipv4'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> + <!-- accept all other incoming and outgoing ARP traffic --> + <rule action='accept' direction='inout' priority='-500'> + <mac protocolid='arp'/> + </rule> + <!-- preventing any other traffic than IPv4 and ARP --> <filterref filter='no-other-l2-traffic'/> Index: libvirt-acl/examples/xml/nwfilter/no-mac-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-mac-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-mac-spoofing.xml @@ -1,5 +1,10 @@ -<filter name='no-mac-spoofing' chain='ipv4'> - <rule action='drop' direction='out' priority='10'> - <mac match='no' srcmacaddr='$MAC' /> +<filter name='no-mac-spoofing' chain='mac' priority='-800'> + <!-- return packets with VM's MAC address as source address --> + <rule direction='out' action='return'> + <mac srcmacaddr='$MAC'/> + </rule> + <!-- drop everything else --> + <rule direction='out' action='drop'> + <mac/> </rule> </filter> Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-arp-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml @@ -1,36 +1,4 @@ -<filter name='no-arp-spoofing' chain='arp'> - <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> - <rule action='drop' direction='out' priority='300' > - <mac match='no' srcmacaddr='$MAC'/> - </rule> - - <!-- no arp spoofing --> - <!-- drop if ipaddr or macaddr does not belong to guest --> - <rule action='drop' direction='out' priority='350' > - <arp match='no' arpsrcmacaddr='$MAC'/> - </rule> - <rule action='drop' direction='out' priority='400' > - <arp match='no' arpsrcipaddr='$IP' /> - </rule> - <!-- allow gratuitous arp --> - <rule action='accept' direction='in' priority='425'> - <arp gratuitous='true'/> - </rule> - <!-- drop if ipaddr or macaddr does not belong to guest --> - <rule action='drop' direction='in' priority='450' > - <arp match='no' arpdstmacaddr='$MAC'/> - <arp opcode='reply'/> - </rule> - <rule action='drop' direction='in' priority='500' > - <arp match='no' arpdstipaddr='$IP' /> - </rule> - <!-- accept only request or reply packets --> - <rule action='accept' direction='inout' priority='600' > - <arp opcode='request'/> - </rule> - <rule action='accept' direction='inout' priority='650' > - <arp opcode='reply'/> - </rule> - <!-- drop everything else --> - <rule action='drop' direction='inout' priority='1000' /> +<filter name='no-arp-spoofing' chain='root'> + <filterref filter='no-arp-mac-spoofing'/> + <filterref filter='no-arp-ip-spoofing'/> </filter> Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml @@ -1,7 +1,14 @@ -<filter name='no-ip-spoofing' chain='ipv4'> +<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> + <!-- allow DHCP requests --> + <rule action='accept' direction='out' priority='100'> + <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' srcportend='68'/> + </rule> - <!-- drop if srcipaddr is not the IP address of the guest --> - <rule action='drop' direction='out'> - <ip match='no' srcipaddr='$IP' /> - </rule> + <!-- allow all known IP addresses --> + <rule direction='out' action='return' priority='500'> + <ip srcipaddr='$IP'/> + </rule> + + <!-- drop everything else --> + <rule direction='out' action='drop' priority='1000'/> </filter>
On 11/28/2011 09:15 AM, Stefan Berger wrote:
With fragments borrowed from David Steven's previous submission and some further modifications:
A set of modifications to existing filters to handle multiple IP addresses (and MAC addresses) per interface.
Also: - enable DHCP traffic from VM to any DHCP server - will require an update to a libvirt-tck data file
Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
--- examples/xml/nwfilter/Makefile.am | 2 + examples/xml/nwfilter/clean-traffic.xml | 12 +++++++- examples/xml/nwfilter/no-arp-ip-spoofing.xml | 9 ++++++ examples/xml/nwfilter/no-arp-mac-spoofing.xml | 7 ++++ examples/xml/nwfilter/no-arp-spoofing.xml | 38 ++------------------------
Lines like this,
@@ -1,4 +1,4 @@ -<filter name='clean-traffic'> +<filter name='clean-traffic' chain='root'> <!-- An example of a traffic filter enforcing clean traffic
and corrupted indentation like this, are making 'git am' reject this patch. Would you mind resubmitting it? -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 11/28/2011 09:15 AM, Stefan Berger wrote:
With fragments borrowed from David Steven's previous submission and some further modifications:
A set of modifications to existing filters to handle multiple IP addresses (and MAC addresses) per interface.
Also: - enable DHCP traffic from VM to any DHCP server - will require an update to a libvirt-tck data file
Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
I didn't try to repair the patch, so I didn't compile test it, but I can at least give a v1 review. I do think it is worth including in 0.9.8, since it can be argued that this is just rounding out the nwfilter multiple address fix already going into the release, and since the code was submitted for review pre-freeze. At any rate, glancing through it, it looks okay. ACK. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 12/01/2011 06:14 PM, Eric Blake wrote:
On 11/28/2011 09:15 AM, Stefan Berger wrote:
With fragments borrowed from David Steven's previous submission and some further modifications:
A set of modifications to existing filters to handle multiple IP addresses (and MAC addresses) per interface.
Also: - enable DHCP traffic from VM to any DHCP server - will require an update to a libvirt-tck data file
Signed-off-by: David L Stevens<dlstevens@us.ibm.com> Signed-off-by: Stefan Berger<stefanb@linux.vnet.ibm.com> I didn't try to repair the patch, so I didn't compile test it, but I can at least give a v1 review. I do think it is worth including in 0.9.8, since it can be argued that this is just rounding out the nwfilter multiple address fix already going into the release, and since the code was submitted for review pre-freeze.
At any rate, glancing through it, it looks okay.
ACK.
Pushed.
participants (2)
-
Eric Blake -
Stefan Berger