[libvirt] [libvirt PATCHv3 03/10] reverse sense of address matching

Stefan Berger stefanb at linux.vnet.ibm.com
Tue Oct 25 19:01:05 UTC 2011 

On 10/12/2011 03:50 PM, David L Stevens wrote:
> [...]
>
> diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
> index 23fd753..84aaa3c 100644
> --- a/examples/xml/nwfilter/Makefile.am
> +++ b/examples/xml/nwfilter/Makefile.am
> @@ -3,12 +3,16 @@
>
>   FILTERS = \
>   	allow-arp.xml \
> +	allow-arpip.xml \
> +	allow-arpmac.xml \
>   	allow-dhcp-server.xml \
>   	allow-dhcp.xml \
>   	allow-incoming-ipv4.xml \
>   	allow-ipv4.xml \
>   	clean-traffic.xml \
>   	no-arp-spoofing.xml \
> +	no-arpmac-spoofing.xml \
> +	no-arpip-spoofing.xml \
>   	no-ip-multicast.xml \
>   	no-ip-spoofing.xml \
>   	no-mac-broadcast.xml \
> diff --git a/examples/xml/nwfilter/allow-arp.xml b/examples/xml/nwfilter/allow-arp.xml
> index 63a92b2..6271ae4 100644
> --- a/examples/xml/nwfilter/allow-arp.xml
> +++ b/examples/xml/nwfilter/allow-arp.xml
> @@ -1,3 +1,4 @@
> -<filter name='allow-arp' chain='arp'>
> -<rule direction='inout' action='accept'/>
> +<filter name='allow-arp' chain='arpmac'>
> +<filterref filter='allow-arpmac.xml'/>
> +<filterref filter='allow-arpip.xml'/>
>   </filter>
So the intention here was to remove the 'arp' chain. With it staying now 
I suppose this patch and the allow-arpmac and allow-arpip aren't needed.
> diff --git a/examples/xml/nwfilter/allow-arpip.xml b/examples/xml/nwfilter/allow-arpip.xml
> new file mode 100644
> index 0000000..6ddb6fe
> --- /dev/null
> +++ b/examples/xml/nwfilter/allow-arpip.xml
> @@ -0,0 +1,3 @@
> +<filter name='allow-arpip' chain='arpip'>
> +<rule direction='inout' action='accept'/>
> +</filter>
Seems no necessary following above.
> diff --git a/examples/xml/nwfilter/allow-arpmac.xml b/examples/xml/nwfilter/allow-arpmac.xml
> new file mode 100644
> index 0000000..54f6714
> --- /dev/null
> +++ b/examples/xml/nwfilter/allow-arpmac.xml
> @@ -0,0 +1,3 @@
> +<filter name='allow-arpmac' chain='arpmac'>
> +<rule direction='inout' action='accept'/>
> +</filter>
Seems not necessary following above.
> diff --git a/examples/xml/nwfilter/clean-traffic.xml b/examples/xml/nwfilter/clean-traffic.xml
> index 40f0ecb..9cee799 100644
> --- a/examples/xml/nwfilter/clean-traffic.xml
> +++ b/examples/xml/nwfilter/clean-traffic.xml
> @@ -11,10 +11,10 @@
>      <!-- preventing ARP spoofing/poisoning -->
>      <filterref filter='no-arp-spoofing'/>
>
> -<!-- preventing any other traffic than IPv4 and ARP -->
> -<filterref filter='no-other-l2-traffic'/>
> -
>      <!-- allow qemu to send a self-announce upon migration end -->
>      <filterref filter='qemu-announce-self'/>
>
> +<!-- preventing any other traffic than IPv4 and ARP -->
> +<filterref filter='no-other-l2-traffic'/>
> +
>   </filter>
This reshuffeling might make it more intuitive but isn't necessary.

In the meantime I took some of the hunks here and build a parallel set 
of filters (clean-traffic-new). I'll post that series soon. I am not 
sure whether we want to have a parallel set in the end, though.
> diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
> index 3c83acd..1979b20 100644
> --- a/examples/xml/nwfilter/no-arp-spoofing.xml
> +++ b/examples/xml/nwfilter/no-arp-spoofing.xml
> @@ -1,17 +1,4 @@
> -<filter name='no-arp-spoofing' chain='arp'>
> -<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
> -<rule action='drop' direction='out' priority='300'>
> -<mac match='no' srcmacaddr='$MAC'/>
> -</rule>
> -
> -<!-- no arp spoofing -->
> -<!-- drop if ipaddr or macaddr does not belong to guest -->
> -<rule action='drop' direction='out' priority='350'>
> -<arp match='no' arpsrcmacaddr='$MAC'/>
> -</rule>
> -<rule action='drop' direction='out' priority='400'>
> -<arp match='no' arpsrcipaddr='$IP' />
> -</rule>
> -<!-- allow everything else -->
> -<rule action='accept' direction='in' priority='425' />
> +<filter name='no-arp-spoofing'>
> +<filterref filter='no-arpmac-spoofing' />
> +<filterref filter='no-arpip-spoofing' />
>   </filter>
> diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml b/examples/xml/nwfilter/no-arpip-spoofing.xml
> new file mode 100644
> index 0000000..ee42d40
> --- /dev/null
> +++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
> @@ -0,0 +1,12 @@
> +<filter name='no-arpip-spoofing' chain='arpip'>
> +<!-- no arp spoofing -->
> +<!-- drop if ipaddr does not belong to guest -->
> +<rule action='return' direction='out' priority='400'>
> +<arp match='yes' arpsrcipaddr='$IP' />
> +</rule>
> +<rule action='return' direction='out' priority='410'>
> +<arp match='yes' arpsrcipaddr='0.0.0.0' />
> +</rule>
Under what circumstances is the stack allowed to send a 0.0.0.0 as a 
response to an ARP request (presumably)? Form what I see 0.0.0.0 could 
be any machine whose interface is not configured. At least when using 
DHCP the VM would broadcast the request without prior sending of an ARP 
request (of course) and from what I remember the DHCP server then sends 
the response back to the MAC address it has received the request from 
also without ARP request.
> +<!-- drop everything else -->
> +<rule action='drop' direction='out' priority='1000' />
> +</filter>
> diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml b/examples/xml/nwfilter/no-arpmac-spoofing.xml
> new file mode 100644
> index 0000000..90499d3
> --- /dev/null
> +++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
> @@ -0,0 +1,7 @@
> +<filter name='no-arpmac-spoofing' chain='arpmac'>
> +<rule action='return' direction='out' priority='350'>
> +<arp match='yes' arpsrcmacaddr='$MAC'/>
> +</rule>
> +<!-- drop everything else -->
> +<rule action='drop' direction='out' priority='1000' />
> +</filter>
> diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
> index b8c94c8..84e8a5e 100644
> --- a/examples/xml/nwfilter/no-ip-spoofing.xml
> +++ b/examples/xml/nwfilter/no-ip-spoofing.xml
> @@ -1,7 +1,9 @@
>   <filter name='no-ip-spoofing' chain='ipv4'>
>
>       <!-- drop if srcipaddr is not the IP address of the guest -->
> -<rule action='drop' direction='out'>
> -<ip match='no' srcipaddr='$IP' />
> +<rule action='return' direction='out'>
> +<ip match='yes' srcipaddr='$IP' />
>       </rule>
> +<!-- drop any that don't match the source IP list -->
> +<rule action='drop' direction='out' />
>   </filter>
> diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
> index f210623..aee56c7 100644
> --- a/examples/xml/nwfilter/no-mac-spoofing.xml
> +++ b/examples/xml/nwfilter/no-mac-spoofing.xml
> @@ -1,5 +1,9 @@
> -<filter name='no-mac-spoofing' chain='ipv4'>
> -<rule action='drop' direction='out' priority='10'>
> -<mac match='no' srcmacaddr='$MAC' />
> -</rule>
> +<filter name='no-mac-spoofing' chain='mac'>
> +<!-- no mac spoofing -->
> +<!-- drop if macaddr does not belong to guest -->
> +<rule action='return' direction='out' priority='350'>
> +<mac match='yes' srcmacaddr='$MAC'/>
> +</rule>
> +<!-- drop everything else -->
> +<rule action='drop' direction='out' priority='1000' />
>   </filter>
> diff --git a/examples/xml/nwfilter/no-other-l2-traffic.xml b/examples/xml/nwfilter/no-other-l2-traffic.xml
> index 8bad86e..0501b1a 100644
> --- a/examples/xml/nwfilter/no-other-l2-traffic.xml
> +++ b/examples/xml/nwfilter/no-other-l2-traffic.xml
> @@ -1,7 +1,12 @@
> -<filter name='no-other-l2-traffic'>
> +<filter name='no-other-l2-traffic' chain='root'>
>
> -<!-- drop all other l2 traffic than for which rules have been
> -         written for; i.e., drop all other than arp and ipv4 traffic -->
> -<rule action='drop' direction='inout' priority='1000'/>
> +<!-- drop all other than arp and ipv4 traffic -->
> +<rule action='accept' direction='inout'>
> +<mac protocolid='0x800' />
> +</rule>
> +<rule action='accept' direction='inout'>
> +<mac protocolid='0x806' />
> +</rule>
> +<rule action='drop' direction='inout' priority='1000' />
>
With the pending patches, this one looks a little different now.

    Stefan

More information about the libvir-list mailing list