7:11 a.m.
Hello,
I am currently investigating the possibility to implement MAC address
based filtering in libvirt and was wondering if there is any related
effort going on and what people in general would think about that.
Here is a description of my current prototype implementation:
I have a small setup of two guests and a network:
Guest1:
root@stenzel-desktop:/etc/libvirt/qemu# cat build1.xml
<domain type='kvm'>
<name>build1</name>
...
<interface type='network'>
<mac address='D0:0F:D0:0F:02:01'/>
<source network='mynet'/>
<model type='virtio' />
</interface>
...
</domain>
Guest2:
root@stenzel-desktop:/etc/libvirt/qemu# cat build2.xml
<domain type='kvm'>
<name>build2</name>
...
<interface type='network'>
<mac address='D0:0F:D0:0F:02:02'/>
<source network='mynet'/>
<model type='virtio' />
</interface>
...
</domain>
and the network to which I added a new XML element "filter" with
attribute "mac", which switches on the MAC address filtering:
root@stenzel-desktop:/etc/libvirt/qemu# cat networks/mynet.xml
<network>
<name>mynet</name>
<uuid>920debe0-c3ef-4395-8241-ee82d4b49c2d</uuid>
<bridge name="br%d" stp="off"/>
<filter mac="on"/>
</network>
the "filter" element is evaluated at startup of libvirtd and a generic
ebtables rules is generated (all frames are dropped):
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L
Bridge table: filter
...
Bridge chain: FORWARD, entries: 0, policy: DROP
...
When starting up guest1, ...
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh start build1
Domain build1 started
... an ebtables rule is generated to allow its mac address on the its
interface:
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L
...
Bridge chain: FORWARD, entries: 1, policy: DROP
-s d0:f:d0:f:2:1 -i vnet0 -j ACCEPT
...
the same happens when starting up the second guest:
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh start build2
Domain build2 started
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L
...
Bridge chain: FORWARD, entries: 2, policy: DROP
-s d0:f:d0:f:2:2 -i vnet1 -j ACCEPT
-s d0:f:d0:f:2:1 -i vnet0 -j ACCEPT
...
so the two guests are allowed to communicate.
After destroying the two guests, the corresponding ebtables rules are
removed:
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh destroy
build2
Domain build2 destroyed
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L
...
Bridge chain: FORWARD, entries: 1, policy: DROP
-s d0:f:d0:f:2:1 -i vnet0 -j ACCEPT
...
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh destroy
build1
Domain build1 destroyed
stenzel@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L
...
Bridge chain: FORWARD, entries: 0, policy: DROP
...
The current prototype implementation is based on the existing iptables
wrapper in libvirt. I basically cloned the iptables wrapper to an
ebtables wrapper and did some ebtables specific adjustments. There are
currenlty four occasions when the ebtables wrapper is called:
- when creating the network
- when adding a guest to the network
- when removing a guest from the network
- when destroying the network (currently not implemented)
These calls can be augmented to also do for example tagged vlan and
protocol filtering.
Configuring the filter rules via virsh is also an option.
Comments are appreciated.
--
Best regards,
Gerhard Stenzel,
-----------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Erich Baier
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
7:35 a.m.
On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote:
Hello,
I am currently investigating the possibility to implement MAC address
based filtering in libvirt and was wondering if there is any related
effort going on and what people in general would think about that.
Great, we certainly need these feature
and the network to which I added a new XML element "filter"
with
attribute "mac", which switches on the MAC address filtering:
root@stenzel-desktop:/etc/libvirt/qemu# cat networks/mynet.xml
<network>
<name>mynet</name>
<uuid>920debe0-c3ef-4395-8241-ee82d4b49c2d</uuid>
<bridge name="br%d" stp="off"/>
<filter mac="on"/>
</network>
the "filter" element is evaluated at startup of libvirtd and a generic
ebtables rules is generated (all frames are dropped):
I think this extra XML element is probably redundant - we should always do
MAC filtering at all times, on all bridges. Not simply those used in a
virtual network, but also those connected to a real physical device too.
I could see having a QEMU driver level configuration option in
/etc/libvirt/qemu.conf though, to turn filtering on/off for the
host as a whole though.
The current prototype implementation is based on the existing
iptables
wrapper in libvirt. I basically cloned the iptables wrapper to an
ebtables wrapper and did some ebtables specific adjustments. There are
currenlty four occasions when the ebtables wrapper is called:
- when creating the network
What do you do to ebtables at this point ?
- when adding a guest to the network
- when removing a guest from the network
Isn't it sufficient to only use ebtables in these two places ?
- when destroying the network (currently not implemented)
These calls can be augmented to also do for example tagged vlan and
protocol filtering.
We probably also want to be able todo IP address filtering too.
ie, if the guest XML has an <ip address> element inside the <interface>
then we should add rules to ensure only IP traffic matching that
source/target address is allowed to pass out/in
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
7:54 a.m.
On Wed, 2009-08-19 at 13:35 +0100, Daniel P. Berrange wrote:
On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote:
...
I think this extra XML element is probably redundant - we should
always do
MAC filtering at all times, on all bridges. Not simply those used in a
virtual network, but also those connected to a real physical device too.
I used the extra XML element as a means to switch filtering on and off,
I am not passionate about it.
I could see having a QEMU driver level configuration option in
/etc/libvirt/qemu.conf though, to turn filtering on/off for the
host as a whole though.
Fine with me, if that is the preferred way.
> The current prototype implementation is based on the existing
iptables
> wrapper in libvirt. I basically cloned the iptables wrapper to an
> ebtables wrapper and did some ebtables specific adjustments. There are
> currenlty four occasions when the ebtables wrapper is called:
> - when creating the network
What do you do to ebtables at this point ?
The "filter" element is evaluated at startup of libvirtd and a generic
ebtables rules is generated to drop all frames. This could be changed to
use the config option.
> - when adding a guest to the network
> - when removing a guest from the network
Isn't it sufficient to only use ebtables in these two places ?
I think some generic settings should be dowe at libvirtd startup ...
> - when destroying the network (currently not implemented)
... and some reasonable state should be restored at libvirtd shutdown,
but that might be unnecessary.
> These calls can be augmented to also do for example tagged vlan and
> protocol filtering.
We probably also want to be able todo IP address filtering too.
IP address filtering, VLAN tag filtering and similar are further down on my list.
ie, if the guest XML has an <ip address> element inside the
<interface>
then we should add rules to ensure only IP traffic matching that
source/target address is allowed to pass out/in
Daniel
--
Best regards,
Gerhard Stenzel,
-----------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Erich Baier
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
5573
days inactive
5573
days old
2 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Gerhard Stenzel