1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 17:34:18 +03:00

Add some examples filters

This patch adds some example filters to libvirt. They are automatically
installed into the proper directory for libvirt to pick them up.
This commit is contained in:
Stefan Berger 2010-03-25 13:46:13 -04:00 committed by Daniel P. Berrange
parent 1130085cf0
commit e3a7137ac2
15 changed files with 170 additions and 2 deletions

View File

@ -5,7 +5,8 @@ GENHTML = genhtml
SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
python tests po examples/domain-events/events-c examples/hellolibvirt \
examples/dominfo examples/domsuspend examples/python examples/apparmor
examples/dominfo examples/domsuspend examples/python examples/apparmor \
examples/xml/nwfilter
ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4

View File

@ -1987,7 +1987,8 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
examples/domsuspend/Makefile \
examples/dominfo/Makefile \
examples/python/Makefile \
examples/hellolibvirt/Makefile)
examples/hellolibvirt/Makefile \
examples/xml/nwfilter/Makefile)
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Configuration summary])

View File

@ -0,0 +1,30 @@
FILTERS = \
allow-arp.xml \
allow-dhcp-server.xml \
allow-dhcp.xml \
allow-incoming-ipv4.xml \
allow-ipv4.xml \
clean-traffic.xml \
no-arp-spoofing.xml \
no-ip-multicast.xml \
no-ip-spoofing.xml \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
no-other-l2-traffic.xml
confdir = $(sysconfdir)/libvirt
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
install-data-local:
$(MKDIR_P) "$(NWFILTER_DIR)"
for f in $(FILTERS); do \
$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
done
uninstall-local::
for f in $(FILTERS); do \
rm -f "$(NWFILTER_DIR)/$$f"; \
done
-test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR)

View File

@ -0,0 +1,3 @@
<filter name='allow-arp' chain='arp'>
<rule direction='inout' action='accept'/>
</filter>

View File

@ -0,0 +1,24 @@
<filter name='allow-dhcp-server' chain='ipv4'>
<!-- accept outgoing DHCP requests -->
<!-- note, this rule must be evaluated before general MAC broadcast
traffic is discarded since DHCP requests use MAC broadcast -->
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0'
dstipaddr='255.255.255.255'
protocol='udp'
srcportstart='68'
dstportstart='67' />
</rule>
<!-- accept incoming DHCP responses from a specific DHCP server
parameter DHPCSERVER needs to be passed from where this filter is
referenced -->
<rule action='accept' direction='in' priority='100' >
<ip srcipaddr='$DHCPSERVER'
protocol='udp'
srcportstart='67'
dstportstart='68'/>
</rule>
</filter>

View File

@ -0,0 +1,21 @@
<filter name='allow-dhcp' chain='ipv4'>
<!-- accept outgoing DHCP requests -->
<!-- not, this rule must be evaluated before general MAC broadcast
traffic is discarded since DHCP requests use MAC broadcast -->
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0'
dstipaddr='255.255.255.255'
protocol='udp'
srcportstart='68'
dstportstart='67' />
</rule>
<!-- accept incoming DHCP responses from any DHCP server -->
<rule action='accept' direction='in' priority='100' >
<ip protocol='udp'
srcportstart='67'
dstportstart='68'/>
</rule>
</filter>

View File

@ -0,0 +1,3 @@
<filter name='allow-incoming-ipv4' chain='ipv4'>
<rule direction='in' action='accept'/>
</filter>

View File

@ -0,0 +1,3 @@
<filter name='allow-ipv4' chain='ipv4'>
<rule direction='inout' action='accept'/>
</filter>

View File

@ -0,0 +1,17 @@
<filter name='clean-traffic'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
<filterref filter='no-ip-spoofing'/>
<filterref filter='allow-incoming-ipv4'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- preventing any other traffic than IPv4 and ARP -->
<filterref filter='no-other-l2-traffic'/>
</filter>

View File

@ -0,0 +1,29 @@
<filter name='no-arp-spoofing' chain='arp'>
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
<!-- no arp spoofing -->
<!-- drop if ipaddr or macaddr does not belong to guest -->
<rule action='drop' direction='out' priority='400' >
<arp match='no' arpsrcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='400' >
<arp match='no' arpsrcipaddr='$IP' />
</rule>
<!-- drop if ipaddr or macaddr odes not belong to guest -->
<rule action='drop' direction='in' priority='400' >
<arp match='no' arpdstmacaddr='$MAC'/>
<arp opcode='reply'/>
</rule>
<rule action='drop' direction='in' priority='400' >
<arp match='no' arpdstipaddr='$IP' />
</rule>
<!-- accept only request or reply packets -->
<rule action='accept' direction='inout' priority='500' >
<arp opcode='request'/>
</rule>
<rule action='accept' direction='inout' priority='500' >
<arp opcode='reply'/>
</rule>
<!-- drop everything else -->
<rule action='drop' direction='inout' priority='1000' />
</filter>

View File

@ -0,0 +1,9 @@
<filter name='no-ip-multicast' chain='ipv4'>
<!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
<rule action='drop' direction='out'>
<ip dstipaddr='224.0.0.0' dstipmask='4' />
</rule>
<!-- not doing anything with receiving side ... -->
</filter>

View File

@ -0,0 +1,7 @@
<filter name='no-ip-spoofing' chain='ipv4'>
<!-- drop if srcipaddr is not the IP address of the guest -->
<rule action='drop' direction='out'>
<ip match='no' srcipaddr='$IP' />
</rule>
</filter>

View File

@ -0,0 +1,8 @@
<filter name='no-mac-broadcast' chain='ipv4'>
<!-- drop if destination mac is bcast mac addr. -->
<rule action='drop' direction='out'>
<mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
</rule>
<!-- not doing anything with receiving side ... -->
</filter>

View File

@ -0,0 +1,5 @@
<filter name='no-mac-spoofing' chain='ipv4'>
<rule action='drop' direction='out' priority='10'>
<mac match='no' srcmacaddr='$MAC' />
</rule>
</filter>

View File

@ -0,0 +1,7 @@
<filter name='no-other-l2-traffic'>
<!-- drop all other l2 traffic than for which rules have been
written for; i.e., drop all other than arp and ipv4 traffic -->
<rule action='drop' direction='inout' priority='1000'/>
</filter>