Backlog #1372

provide a no-ip-spoofing mechanism for the firewall network drivers

Added by Jaime Melis over 7 years ago. Updated over 4 years ago.

Status:ClosedStart date:07/17/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Drivers - Network
Target version:-

Description

As requested by Ricardo Duarte in the mailing list, there should be a mechanism to provide a no-ip-spoofing mechanism in the firewall network drivers.

History

#1 Updated by Jaime Melis over 7 years ago

Commited a first version of the no-ip-spoofing script in Firewall.rb. Still to undergo testing and to be documented.

#2 Updated by Jaime Melis over 7 years ago

The chain names have changed, that will impact in the deactivate script for running vms with the previous chain names. This has to be fixed.

#3 Updated by jordan pittier over 7 years ago

For what it's worth, here is the ebtables rules that libvirt's network filter named "clean-traffic" setups. It prevents both IP and ARP spoofing.

I agree that adding these rules in firewall.rb would benefit to all supported hypervisors (currently only KVM, thanks to libvirt, can perform proper network isolation by default, see last line of etc/vmm_exec/vmm_exec_kvm.conf)

@root@csdd7:/home/oneadmin# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0

Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0

Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4-ip
-p IPv4 -j ACCEPT
-p ARP -j I-vnet0-arp-mac
-p ARP -j I-vnet0-arp-ip
-p ARP -j ACCEPT
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-j DROP

Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p ARP -j ACCEPT
-p 0x8035 -j O-vnet0-rarp
-j DROP

Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT
-s 52:54:0:0:5:fa -j RETURN
-j DROP

Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 88.190.214.XX -j RETURN
-j DROP

Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT
-j ACCEPT

Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT
-p ARP --arp-mac-src 52:54:0:0:5:fa -j RETURN
-j DROP

Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT
-p ARP --arp-ip-src 88.190.214.XX -j RETURN
-j DROP

Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -s 52:54:0:0:5:fa -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:0:5:fa --arp-mac-dst 52:54:0:0:5:fa -j ACCEPT
-j DROP

Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:0:5:fa --arp-mac-dst 52:54:0:0:5:fa -j ACCEPT
-j DROP@

#4 Updated by Ruben S. Montero over 7 years ago

And in fact it its supported with the filter option:

 NIC  = [ NETWORK ="MyVLAN", filter = "clean-traffic" ]

#5 Updated by jordan pittier over 7 years ago

Yeah you're right. But it's KVM specific and it would be great if firewall.rb could be updated so that these kind of filtering is supported on all platforms

#6 Updated by Ruben S. Montero about 7 years ago

  • Status changed from New to Assigned

#7 Updated by Ruben S. Montero about 7 years ago

  • Target version changed from Release 3.8 to Release 4.0

#8 Updated by Artur Kraev almost 7 years ago

Unfortunately this method (as also kvm's clean traffic) not working with openvswtich.

#9 Updated by Ruben S. Montero over 6 years ago

  • Target version changed from Release 4.0 to Release 4.2

#10 Updated by Ruben S. Montero over 6 years ago

  • Category changed from Drivers - Auth to Drivers - Network

#11 Updated by Ruben S. Montero over 6 years ago

  • Tracker changed from Feature to Backlog
  • Status changed from Assigned to Pending
  • Assignee deleted (Jaime Melis)
  • Target version deleted (Release 4.2)

#12 Updated by Ruben S. Montero over 4 years ago

  • Status changed from Pending to Closed

In security groups features...

Also available in: Atom PDF