mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 17:34:18 +03:00
Add some examples filters
This patch adds some example filters to libvirt. They are automatically installed into the proper directory for libvirt to pick them up.
This commit is contained in:
parent
1130085cf0
commit
e3a7137ac2
@ -5,7 +5,8 @@ GENHTML = genhtml
|
||||
|
||||
SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
|
||||
python tests po examples/domain-events/events-c examples/hellolibvirt \
|
||||
examples/dominfo examples/domsuspend examples/python examples/apparmor
|
||||
examples/dominfo examples/domsuspend examples/python examples/apparmor \
|
||||
examples/xml/nwfilter
|
||||
|
||||
ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4
|
||||
|
||||
|
@ -1987,7 +1987,8 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
|
||||
examples/domsuspend/Makefile \
|
||||
examples/dominfo/Makefile \
|
||||
examples/python/Makefile \
|
||||
examples/hellolibvirt/Makefile)
|
||||
examples/hellolibvirt/Makefile \
|
||||
examples/xml/nwfilter/Makefile)
|
||||
|
||||
AC_MSG_NOTICE([])
|
||||
AC_MSG_NOTICE([Configuration summary])
|
||||
|
30
examples/xml/nwfilter/Makefile.am
Normal file
30
examples/xml/nwfilter/Makefile.am
Normal file
@ -0,0 +1,30 @@
|
||||
|
||||
FILTERS = \
|
||||
allow-arp.xml \
|
||||
allow-dhcp-server.xml \
|
||||
allow-dhcp.xml \
|
||||
allow-incoming-ipv4.xml \
|
||||
allow-ipv4.xml \
|
||||
clean-traffic.xml \
|
||||
no-arp-spoofing.xml \
|
||||
no-ip-multicast.xml \
|
||||
no-ip-spoofing.xml \
|
||||
no-mac-broadcast.xml \
|
||||
no-mac-spoofing.xml \
|
||||
no-other-l2-traffic.xml
|
||||
|
||||
confdir = $(sysconfdir)/libvirt
|
||||
|
||||
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
|
||||
|
||||
install-data-local:
|
||||
$(MKDIR_P) "$(NWFILTER_DIR)"
|
||||
for f in $(FILTERS); do \
|
||||
$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
|
||||
done
|
||||
|
||||
uninstall-local::
|
||||
for f in $(FILTERS); do \
|
||||
rm -f "$(NWFILTER_DIR)/$$f"; \
|
||||
done
|
||||
-test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR)
|
3
examples/xml/nwfilter/allow-arp.xml
Normal file
3
examples/xml/nwfilter/allow-arp.xml
Normal file
@ -0,0 +1,3 @@
|
||||
<filter name='allow-arp' chain='arp'>
|
||||
<rule direction='inout' action='accept'/>
|
||||
</filter>
|
24
examples/xml/nwfilter/allow-dhcp-server.xml
Normal file
24
examples/xml/nwfilter/allow-dhcp-server.xml
Normal file
@ -0,0 +1,24 @@
|
||||
<filter name='allow-dhcp-server' chain='ipv4'>
|
||||
|
||||
<!-- accept outgoing DHCP requests -->
|
||||
<!-- note, this rule must be evaluated before general MAC broadcast
|
||||
traffic is discarded since DHCP requests use MAC broadcast -->
|
||||
<rule action='accept' direction='out' priority='100'>
|
||||
<ip srcipaddr='0.0.0.0'
|
||||
dstipaddr='255.255.255.255'
|
||||
protocol='udp'
|
||||
srcportstart='68'
|
||||
dstportstart='67' />
|
||||
</rule>
|
||||
|
||||
<!-- accept incoming DHCP responses from a specific DHCP server
|
||||
parameter DHPCSERVER needs to be passed from where this filter is
|
||||
referenced -->
|
||||
<rule action='accept' direction='in' priority='100' >
|
||||
<ip srcipaddr='$DHCPSERVER'
|
||||
protocol='udp'
|
||||
srcportstart='67'
|
||||
dstportstart='68'/>
|
||||
</rule>
|
||||
|
||||
</filter>
|
21
examples/xml/nwfilter/allow-dhcp.xml
Normal file
21
examples/xml/nwfilter/allow-dhcp.xml
Normal file
@ -0,0 +1,21 @@
|
||||
<filter name='allow-dhcp' chain='ipv4'>
|
||||
|
||||
<!-- accept outgoing DHCP requests -->
|
||||
<!-- not, this rule must be evaluated before general MAC broadcast
|
||||
traffic is discarded since DHCP requests use MAC broadcast -->
|
||||
<rule action='accept' direction='out' priority='100'>
|
||||
<ip srcipaddr='0.0.0.0'
|
||||
dstipaddr='255.255.255.255'
|
||||
protocol='udp'
|
||||
srcportstart='68'
|
||||
dstportstart='67' />
|
||||
</rule>
|
||||
|
||||
<!-- accept incoming DHCP responses from any DHCP server -->
|
||||
<rule action='accept' direction='in' priority='100' >
|
||||
<ip protocol='udp'
|
||||
srcportstart='67'
|
||||
dstportstart='68'/>
|
||||
</rule>
|
||||
|
||||
</filter>
|
3
examples/xml/nwfilter/allow-incoming-ipv4.xml
Normal file
3
examples/xml/nwfilter/allow-incoming-ipv4.xml
Normal file
@ -0,0 +1,3 @@
|
||||
<filter name='allow-incoming-ipv4' chain='ipv4'>
|
||||
<rule direction='in' action='accept'/>
|
||||
</filter>
|
3
examples/xml/nwfilter/allow-ipv4.xml
Normal file
3
examples/xml/nwfilter/allow-ipv4.xml
Normal file
@ -0,0 +1,3 @@
|
||||
<filter name='allow-ipv4' chain='ipv4'>
|
||||
<rule direction='inout' action='accept'/>
|
||||
</filter>
|
17
examples/xml/nwfilter/clean-traffic.xml
Normal file
17
examples/xml/nwfilter/clean-traffic.xml
Normal file
@ -0,0 +1,17 @@
|
||||
<filter name='clean-traffic'>
|
||||
<!-- An example of a traffic filter enforcing clean traffic
|
||||
from a VM by
|
||||
- preventing MAC spoofing -->
|
||||
<filterref filter='no-mac-spoofing'/>
|
||||
|
||||
<!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
|
||||
<filterref filter='no-ip-spoofing'/>
|
||||
<filterref filter='allow-incoming-ipv4'/>
|
||||
|
||||
<!-- preventing ARP spoofing/poisoning -->
|
||||
<filterref filter='no-arp-spoofing'/>
|
||||
|
||||
<!-- preventing any other traffic than IPv4 and ARP -->
|
||||
<filterref filter='no-other-l2-traffic'/>
|
||||
|
||||
</filter>
|
29
examples/xml/nwfilter/no-arp-spoofing.xml
Normal file
29
examples/xml/nwfilter/no-arp-spoofing.xml
Normal file
@ -0,0 +1,29 @@
|
||||
<filter name='no-arp-spoofing' chain='arp'>
|
||||
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
|
||||
|
||||
<!-- no arp spoofing -->
|
||||
<!-- drop if ipaddr or macaddr does not belong to guest -->
|
||||
<rule action='drop' direction='out' priority='400' >
|
||||
<arp match='no' arpsrcmacaddr='$MAC'/>
|
||||
</rule>
|
||||
<rule action='drop' direction='out' priority='400' >
|
||||
<arp match='no' arpsrcipaddr='$IP' />
|
||||
</rule>
|
||||
<!-- drop if ipaddr or macaddr odes not belong to guest -->
|
||||
<rule action='drop' direction='in' priority='400' >
|
||||
<arp match='no' arpdstmacaddr='$MAC'/>
|
||||
<arp opcode='reply'/>
|
||||
</rule>
|
||||
<rule action='drop' direction='in' priority='400' >
|
||||
<arp match='no' arpdstipaddr='$IP' />
|
||||
</rule>
|
||||
<!-- accept only request or reply packets -->
|
||||
<rule action='accept' direction='inout' priority='500' >
|
||||
<arp opcode='request'/>
|
||||
</rule>
|
||||
<rule action='accept' direction='inout' priority='500' >
|
||||
<arp opcode='reply'/>
|
||||
</rule>
|
||||
<!-- drop everything else -->
|
||||
<rule action='drop' direction='inout' priority='1000' />
|
||||
</filter>
|
9
examples/xml/nwfilter/no-ip-multicast.xml
Normal file
9
examples/xml/nwfilter/no-ip-multicast.xml
Normal file
@ -0,0 +1,9 @@
|
||||
<filter name='no-ip-multicast' chain='ipv4'>
|
||||
|
||||
<!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
|
||||
<rule action='drop' direction='out'>
|
||||
<ip dstipaddr='224.0.0.0' dstipmask='4' />
|
||||
</rule>
|
||||
|
||||
<!-- not doing anything with receiving side ... -->
|
||||
</filter>
|
7
examples/xml/nwfilter/no-ip-spoofing.xml
Normal file
7
examples/xml/nwfilter/no-ip-spoofing.xml
Normal file
@ -0,0 +1,7 @@
|
||||
<filter name='no-ip-spoofing' chain='ipv4'>
|
||||
|
||||
<!-- drop if srcipaddr is not the IP address of the guest -->
|
||||
<rule action='drop' direction='out'>
|
||||
<ip match='no' srcipaddr='$IP' />
|
||||
</rule>
|
||||
</filter>
|
8
examples/xml/nwfilter/no-mac-broadcast.xml
Normal file
8
examples/xml/nwfilter/no-mac-broadcast.xml
Normal file
@ -0,0 +1,8 @@
|
||||
<filter name='no-mac-broadcast' chain='ipv4'>
|
||||
<!-- drop if destination mac is bcast mac addr. -->
|
||||
<rule action='drop' direction='out'>
|
||||
<mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
|
||||
</rule>
|
||||
|
||||
<!-- not doing anything with receiving side ... -->
|
||||
</filter>
|
5
examples/xml/nwfilter/no-mac-spoofing.xml
Normal file
5
examples/xml/nwfilter/no-mac-spoofing.xml
Normal file
@ -0,0 +1,5 @@
|
||||
<filter name='no-mac-spoofing' chain='ipv4'>
|
||||
<rule action='drop' direction='out' priority='10'>
|
||||
<mac match='no' srcmacaddr='$MAC' />
|
||||
</rule>
|
||||
</filter>
|
7
examples/xml/nwfilter/no-other-l2-traffic.xml
Normal file
7
examples/xml/nwfilter/no-other-l2-traffic.xml
Normal file
@ -0,0 +1,7 @@
|
||||
<filter name='no-other-l2-traffic'>
|
||||
|
||||
<!-- drop all other l2 traffic than for which rules have been
|
||||
written for; i.e., drop all other than arp and ipv4 traffic -->
|
||||
<rule action='drop' direction='inout' priority='1000'/>
|
||||
|
||||
</filter>
|
Loading…
Reference in New Issue
Block a user