[PATCH 0/3] IPV6 filters example.
Add nwfilter examples for ipv6 similar to existing ip filters. Add appropriate docs for them and for some previously undocumented, but existing filters. Also fix a typo and some formatting. Aleksandr Alekseev (3): example: fix typo and formatting example: add ipv6 filters examples doc: document new filters and not documented ones docs/firewall.html.in | 9 ++++++ docs/formatnwfilter.html.in | 41 ++++++++++++++++++++++-- src/nwfilter/xml/allow-dhcp-server.xml | 4 +-- src/nwfilter/xml/allow-dhcp.xml | 4 +-- src/nwfilter/xml/allow-dhcpv6-server.xml | 27 ++++++++++++++++ src/nwfilter/xml/allow-dhcpv6.xml | 24 ++++++++++++++ src/nwfilter/xml/allow-incoming-ipv6.xml | 3 ++ src/nwfilter/xml/allow-ipv6.xml | 3 ++ src/nwfilter/xml/meson.build | 6 ++++ src/nwfilter/xml/no-ipv6-multicast.xml | 9 ++++++ src/nwfilter/xml/no-ipv6-spoofing.xml | 15 +++++++++ 11 files changed, 138 insertions(+), 7 deletions(-) create mode 100644 src/nwfilter/xml/allow-dhcpv6-server.xml create mode 100644 src/nwfilter/xml/allow-dhcpv6.xml create mode 100644 src/nwfilter/xml/allow-incoming-ipv6.xml create mode 100644 src/nwfilter/xml/allow-ipv6.xml create mode 100644 src/nwfilter/xml/no-ipv6-multicast.xml create mode 100644 src/nwfilter/xml/no-ipv6-spoofing.xml -- 2.28.0.97.gdc04167d37
Signed-off-by: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com> --- src/nwfilter/xml/allow-dhcp-server.xml | 4 ++-- src/nwfilter/xml/allow-dhcp.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/nwfilter/xml/allow-dhcp-server.xml b/src/nwfilter/xml/allow-dhcp-server.xml index 37e708ed4b..7fb426a660 100644 --- a/src/nwfilter/xml/allow-dhcp-server.xml +++ b/src/nwfilter/xml/allow-dhcp-server.xml @@ -1,7 +1,7 @@ <filter name='allow-dhcp-server' chain='ipv4'> - <!-- accept outgoing DHCP requests --> - <!-- note, this rule must be evaluated before general MAC broadcast + <!-- accept outgoing DHCP requests + note, this rule must be evaluated before general MAC broadcast traffic is discarded since DHCP requests use MAC broadcast --> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' diff --git a/src/nwfilter/xml/allow-dhcp.xml b/src/nwfilter/xml/allow-dhcp.xml index d66d2b6668..d205176011 100644 --- a/src/nwfilter/xml/allow-dhcp.xml +++ b/src/nwfilter/xml/allow-dhcp.xml @@ -1,7 +1,7 @@ <filter name='allow-dhcp' chain='ipv4'> - <!-- accept outgoing DHCP requests --> - <!-- not, this rule must be evaluated before general MAC broadcast + <!-- accept outgoing DHCP requests + note, this rule must be evaluated before general MAC broadcast traffic is discarded since DHCP requests use MAC broadcast --> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' -- 2.28.0.97.gdc04167d37
Signed-off-by: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com> --- src/nwfilter/xml/allow-dhcpv6-server.xml | 27 ++++++++++++++++++++++++ src/nwfilter/xml/allow-dhcpv6.xml | 24 +++++++++++++++++++++ src/nwfilter/xml/allow-incoming-ipv6.xml | 3 +++ src/nwfilter/xml/allow-ipv6.xml | 3 +++ src/nwfilter/xml/meson.build | 6 ++++++ src/nwfilter/xml/no-ipv6-multicast.xml | 9 ++++++++ src/nwfilter/xml/no-ipv6-spoofing.xml | 15 +++++++++++++ 7 files changed, 87 insertions(+) create mode 100644 src/nwfilter/xml/allow-dhcpv6-server.xml create mode 100644 src/nwfilter/xml/allow-dhcpv6.xml create mode 100644 src/nwfilter/xml/allow-incoming-ipv6.xml create mode 100644 src/nwfilter/xml/allow-ipv6.xml create mode 100644 src/nwfilter/xml/no-ipv6-multicast.xml create mode 100644 src/nwfilter/xml/no-ipv6-spoofing.xml diff --git a/src/nwfilter/xml/allow-dhcpv6-server.xml b/src/nwfilter/xml/allow-dhcpv6-server.xml new file mode 100644 index 0000000000..214a95f412 --- /dev/null +++ b/src/nwfilter/xml/allow-dhcpv6-server.xml @@ -0,0 +1,27 @@ +<filter name='allow-dhcpv6-server' chain='ipv6'> + + <!-- accept outgoing DHCP requests. + note, this rule must be evaluated before general MAC broadcast + traffic is discarded since DHCP requests use MAC broadcast. + according to https://tools.ietf.org/html/rfc3315#section-14, + client sends messages to FF02::1:2 from link-local addresses --> + <rule action='accept' direction='out' priority='100'> + <ipv6 protocol='udp' + srcipaddr='FE80::' + srcipmask='10' + dstipaddr='FF02::1:2' + srcportstart='546' + dstportstart='547'/> + </rule> + + <!-- accept incoming DHCP responses from a specific DHCP server + parameter DHPCSERVER needs to be passed from where this filter is + referenced --> + <rule action='accept' direction='in' priority='100' > + <ipv6 srcipaddr='$DHCPSERVER' + protocol='udp' + srcportstart='547' + dstportstart='546'/> + </rule> + +</filter> diff --git a/src/nwfilter/xml/allow-dhcpv6.xml b/src/nwfilter/xml/allow-dhcpv6.xml new file mode 100644 index 0000000000..f3512af153 --- /dev/null +++ b/src/nwfilter/xml/allow-dhcpv6.xml @@ -0,0 +1,24 @@ +<filter name='allow-dhcpv6' chain='ipv6'> + + <!-- accept outgoing DHCP requests. + note, this rule must be evaluated before general MAC broadcast + traffic is discarded since DHCP requests use MAC broadcast. + according to https://tools.ietf.org/html/rfc3315#section-14, + client sends messages to FF02::1:2 from link-local addresses --> + <rule action='accept' direction='out' priority='100'> + <ipv6 protocol='udp' + srcipaddr='FE80::' + srcipmask='10' + dstipaddr='FF02::1:2' + srcportstart='546' + dstportstart='547'/> + </rule> + + <!-- accept incoming DHCP responses from any DHCP server --> + <rule action='accept' direction='in' priority='100' > + <ipv6 protocol='udp' + srcportstart='547' + dstportstart='546'/> + </rule> + +</filter> diff --git a/src/nwfilter/xml/allow-incoming-ipv6.xml b/src/nwfilter/xml/allow-incoming-ipv6.xml new file mode 100644 index 0000000000..93e1b18784 --- /dev/null +++ b/src/nwfilter/xml/allow-incoming-ipv6.xml @@ -0,0 +1,3 @@ +<filter name='allow-incoming-ipv6' chain='ipv6'> + <rule direction='in' action='accept'/> +</filter> diff --git a/src/nwfilter/xml/allow-ipv6.xml b/src/nwfilter/xml/allow-ipv6.xml new file mode 100644 index 0000000000..8da5188cb9 --- /dev/null +++ b/src/nwfilter/xml/allow-ipv6.xml @@ -0,0 +1,3 @@ +<filter name='allow-ipv6' chain='ipv6'> + <rule direction='inout' action='accept'/> +</filter> diff --git a/src/nwfilter/xml/meson.build b/src/nwfilter/xml/meson.build index 95af75bb15..0d96c54ebe 100644 --- a/src/nwfilter/xml/meson.build +++ b/src/nwfilter/xml/meson.build @@ -2,8 +2,12 @@ nwfilter_xml_files = [ 'allow-arp.xml', 'allow-dhcp-server.xml', 'allow-dhcp.xml', + 'allow-dhcpv6-server.xml', + 'allow-dhcpv6.xml', 'allow-incoming-ipv4.xml', + 'allow-incoming-ipv6.xml', 'allow-ipv4.xml', + 'allow-ipv6.xml', 'clean-traffic-gateway.xml', 'clean-traffic.xml', 'no-arp-ip-spoofing.xml', @@ -11,6 +15,8 @@ nwfilter_xml_files = [ 'no-arp-spoofing.xml', 'no-ip-multicast.xml', 'no-ip-spoofing.xml', + 'no-ipv6-multicast.xml', + 'no-ipv6-spoofing.xml', 'no-mac-broadcast.xml', 'no-mac-spoofing.xml', 'no-other-l2-traffic.xml', diff --git a/src/nwfilter/xml/no-ipv6-multicast.xml b/src/nwfilter/xml/no-ipv6-multicast.xml new file mode 100644 index 0000000000..a736366374 --- /dev/null +++ b/src/nwfilter/xml/no-ipv6-multicast.xml @@ -0,0 +1,9 @@ +<filter name='no-ipv6-multicast' chain='ipv6'> + + <!-- drop if destination IP address is in the ff00::/8 subnet --> + <rule action='drop' direction='out'> + <ipv6 dstipaddr='FF00::' dstipmask='8' /> + </rule> + + <!-- not doing anything with receiving side ... --> +</filter> diff --git a/src/nwfilter/xml/no-ipv6-spoofing.xml b/src/nwfilter/xml/no-ipv6-spoofing.xml new file mode 100644 index 0000000000..a9ca690345 --- /dev/null +++ b/src/nwfilter/xml/no-ipv6-spoofing.xml @@ -0,0 +1,15 @@ +<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-610'> + <!-- allow UDP sent from link-local addresses (DHCP); + filter more exact later --> + <rule action='return' direction='out' priority='100'> + <ipv6 srcipaddr='FE80::' srcipmask='10' protocol='udp'/> + </rule> + + <!-- allow all known IP addresses --> + <rule direction='out' action='return' priority='500'> + <ipv6 srcipaddr='$IPV6'/> + </rule> + + <!-- drop everything else --> + <rule direction='out' action='drop' priority='1000'/> +</filter> -- 2.28.0.97.gdc04167d37
Signed-off-by: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com> --- docs/firewall.html.in | 9 ++++++++ docs/formatnwfilter.html.in | 41 ++++++++++++++++++++++++++++++++++--- 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/docs/firewall.html.in b/docs/firewall.html.in index 62f37e0eea..15b4f397be 100644 --- a/docs/firewall.html.in +++ b/docs/firewall.html.in @@ -283,12 +283,21 @@ UUID Name 15b1ab2b-b1ac-1be2-ed49-2042caba4abb allow-arp 6c51a466-8d14-6d11-46b0-68b1a883d00f allow-dhcp 7517ad6c-bd90-37c8-26c9-4eabcb69848d allow-dhcp-server +7680776c-77aa-496f-90d6-13097664b925 allow-dhcpv6 +9cdaad60-7631-4172-8ccb-ef774be7485b allow-dhcpv6-server 3d38b406-7cf0-8335-f5ff-4b9add35f288 allow-incoming-ipv4 +908543c1-902e-45f6-a6ca-1a0ad35e7599 allow-incoming-ipv6 5ff06320-9228-2899-3db0-e32554933415 allow-ipv4 +ce8904cc-ad3a-4454-896c-53452882f817 allow-ipv6 db0b1767-d62b-269b-ea96-0cc8b451144e clean-traffic +6d6ddcc8-1242-4c43-ac63-63af80493132 clean-traffic-gateway +4cf38077-c7d5-4e25-99bb-6c4c9efad294 no-arp-ip-spoofing +0b11a636-ce58-497f-be90-17f63c92487a no-arp-mac-spoofing f88f1932-debf-4aa1-9fbe-f10d3aa4bc95 no-arp-spoofing 772f112d-52e4-700c-0250-e178a3d91a7a no-ip-multicast 7ee20370-8106-765d-f7ff-8a60d5aaf30b no-ip-spoofing +f8a51c43-a08f-49b3-b9e2-393d54522dc0 no-ipv6-multicast +a7f0afe9-a428-44b8-8566-c8ee2a669271 no-ipv6-spoofing d5d3c490-c2eb-68b1-24fc-3ee362fc8af3 no-mac-broadcast fb57c546-76dc-a372-513f-e8179011b48a no-mac-spoofing dba10ea7-446d-76de-346f-335bd99c1d05 no-other-l2-traffic diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 796c16549d..04aeda06ec 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -467,8 +467,7 @@ DSTPORTS = [ 80, 8080 ] </tr> <tr> <td> IPV6 </td> - <td> Not currently implemented: - the list of IPV6 addresses in use by an interface </td> + <td> The list of IPV6 addresses in use by an interface </td> </tr> <tr> <td> DHCPSERVER </td> @@ -2011,11 +2010,35 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout only allows ARP request and reply messages and enforces that those packets contain the MAC and IP addresses of the VM.</td> + </tr> + <tr> + <td> allow-arp </td> + <td> Allow ARP traffic in both directions</td> + </tr> + <tr> + <td> allow-ipv4 </td> + <td> Allow IPv4 traffic in both directions</td> + </tr> + <tr> + <td> allow-ipv6 </td> + <td> Allow IPv6 traffic in both directions</td> + </tr> + <tr> + <td> allow-incoming-ipv4 </td> + <td> Allow incoming IPv4 traffic</td> + </tr> + <tr> + <td> allow-incoming-ipv6 </td> + <td> Allow incoming IPv6 traffic</td> </tr> <tr> <td> allow-dhcp </td> <td> Allow a VM to request an IP address via DHCP (from any DHCP server)</td> + </tr> + <tr> + <td> allow-dhcpv6 </td> + <td> Similar to allow-dhcp, but for DHCPv6 </td> </tr> <tr> <td> allow-dhcp-server </td> @@ -2023,16 +2046,28 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout DHCP server. The dotted decimal IP address of the DHCP server must be provided in a reference to this filter. The name of the variable must be <i>DHCPSERVER</i>.</td> + </tr> + <tr> + <td> allow-dhcpv6-server </td> + <td> Similar to allow-dhcp-server, but for DHCPv6 </td> </tr> <tr> <td> no-ip-spoofing </td> - <td> Prevent a VM from sending of IP packets with + <td> Prevent a VM from sending of IPv4 packets with a source IP address different from the one in the packet. </td> + </tr> + <tr> + <td> no-ipv6-spoofing </td> + <td> Similar to no-ip-spoofing, but for IPv6 </td> </tr> <tr> <td> no-ip-multicast </td> <td> Prevent a VM from sending IP multicast packets. </td> + </tr> + <tr> + <td> no-ipv6-multicast </td> + <td> Similar to no-ip-multicast, but for IPv6 </td> </tr> <tr> <td> clean-traffic </td> -- 2.28.0.97.gdc04167d37
On a Thursday in 2020, Aleksandr Alekseev wrote:
Add nwfilter examples for ipv6 similar to existing ip filters. Add appropriate docs for them and for some previously undocumented, but existing filters. Also fix a typo and some formatting.
Aleksandr Alekseev (3): example: fix typo and formatting example: add ipv6 filters examples doc: document new filters and not documented ones
docs/firewall.html.in | 9 ++++++ docs/formatnwfilter.html.in | 41 ++++++++++++++++++++++-- src/nwfilter/xml/allow-dhcp-server.xml | 4 +-- src/nwfilter/xml/allow-dhcp.xml | 4 +-- src/nwfilter/xml/allow-dhcpv6-server.xml | 27 ++++++++++++++++ src/nwfilter/xml/allow-dhcpv6.xml | 24 ++++++++++++++ src/nwfilter/xml/allow-incoming-ipv6.xml | 3 ++ src/nwfilter/xml/allow-ipv6.xml | 3 ++ src/nwfilter/xml/meson.build | 6 ++++ src/nwfilter/xml/no-ipv6-multicast.xml | 9 ++++++ src/nwfilter/xml/no-ipv6-spoofing.xml | 15 +++++++++ 11 files changed, 138 insertions(+), 7 deletions(-) create mode 100644 src/nwfilter/xml/allow-dhcpv6-server.xml create mode 100644 src/nwfilter/xml/allow-dhcpv6.xml create mode 100644 src/nwfilter/xml/allow-incoming-ipv6.xml create mode 100644 src/nwfilter/xml/allow-ipv6.xml create mode 100644 src/nwfilter/xml/no-ipv6-multicast.xml create mode 100644 src/nwfilter/xml/no-ipv6-spoofing.xml
Reviewed-by: Ján Tomko <jtomko@redhat.com> and pushed. Jano
participants (2)
-
Aleksandr Alekseev -
Ján Tomko