mirror of
				https://gitlab.com/libvirt/libvirt.git
				synced 2025-10-22 19:34:08 +03:00 
			
		
		
		
	Add some examples filters
This patch adds some example filters to libvirt. They are automatically installed into the proper directory for libvirt to pick them up.
This commit is contained in:
		
				
					committed by
					
						 Daniel P. Berrange
						Daniel P. Berrange
					
				
			
			
				
	
			
			
			
						parent
						
							1130085cf0
						
					
				
				
					commit
					e3a7137ac2
				
			
							
								
								
									
										30
									
								
								examples/xml/nwfilter/Makefile.am
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								examples/xml/nwfilter/Makefile.am
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,30 @@ | ||||
|  | ||||
| FILTERS = \ | ||||
| 	allow-arp.xml \ | ||||
| 	allow-dhcp-server.xml \ | ||||
| 	allow-dhcp.xml \ | ||||
| 	allow-incoming-ipv4.xml \ | ||||
| 	allow-ipv4.xml \ | ||||
| 	clean-traffic.xml \ | ||||
| 	no-arp-spoofing.xml \ | ||||
| 	no-ip-multicast.xml \ | ||||
| 	no-ip-spoofing.xml \ | ||||
| 	no-mac-broadcast.xml \ | ||||
| 	no-mac-spoofing.xml \ | ||||
| 	no-other-l2-traffic.xml | ||||
|  | ||||
| confdir = $(sysconfdir)/libvirt | ||||
|  | ||||
| NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter" | ||||
|  | ||||
| install-data-local: | ||||
| 	$(MKDIR_P) "$(NWFILTER_DIR)" | ||||
| 	for f in $(FILTERS); do \ | ||||
| 		$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \ | ||||
| 	done | ||||
|  | ||||
| uninstall-local:: | ||||
| 	for f in $(FILTERS); do \ | ||||
| 		rm -f "$(NWFILTER_DIR)/$$f"; \ | ||||
| 	done | ||||
| 	-test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR) | ||||
							
								
								
									
										3
									
								
								examples/xml/nwfilter/allow-arp.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								examples/xml/nwfilter/allow-arp.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| <filter name='allow-arp' chain='arp'> | ||||
|   <rule direction='inout' action='accept'/> | ||||
| </filter> | ||||
							
								
								
									
										24
									
								
								examples/xml/nwfilter/allow-dhcp-server.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								examples/xml/nwfilter/allow-dhcp-server.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| <filter name='allow-dhcp-server' chain='ipv4'> | ||||
|  | ||||
|     <!-- accept outgoing DHCP requests --> | ||||
|     <!-- note, this rule must be evaluated before general MAC broadcast | ||||
|          traffic is discarded since DHCP requests use MAC broadcast --> | ||||
|     <rule action='accept' direction='out' priority='100'> | ||||
|         <ip srcipaddr='0.0.0.0' | ||||
|             dstipaddr='255.255.255.255' | ||||
|             protocol='udp' | ||||
|             srcportstart='68' | ||||
|             dstportstart='67' /> | ||||
|     </rule> | ||||
|  | ||||
|     <!-- accept incoming DHCP responses from a specific DHCP server | ||||
|          parameter DHPCSERVER needs to be passed from where this filter is | ||||
|          referenced --> | ||||
|     <rule action='accept' direction='in' priority='100' > | ||||
|         <ip srcipaddr='$DHCPSERVER' | ||||
|             protocol='udp' | ||||
|             srcportstart='67' | ||||
|             dstportstart='68'/> | ||||
|     </rule> | ||||
|  | ||||
| </filter> | ||||
							
								
								
									
										21
									
								
								examples/xml/nwfilter/allow-dhcp.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								examples/xml/nwfilter/allow-dhcp.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| <filter name='allow-dhcp' chain='ipv4'> | ||||
|  | ||||
|     <!-- accept outgoing DHCP requests --> | ||||
|     <!-- not, this rule must be evaluated before general MAC broadcast | ||||
|          traffic is discarded since DHCP requests use MAC broadcast --> | ||||
|     <rule action='accept' direction='out' priority='100'> | ||||
|         <ip srcipaddr='0.0.0.0' | ||||
|             dstipaddr='255.255.255.255' | ||||
|             protocol='udp' | ||||
|             srcportstart='68' | ||||
|             dstportstart='67' /> | ||||
|     </rule> | ||||
|  | ||||
|     <!-- accept incoming DHCP responses from any DHCP server --> | ||||
|     <rule action='accept' direction='in' priority='100' > | ||||
|         <ip protocol='udp' | ||||
|             srcportstart='67' | ||||
|             dstportstart='68'/> | ||||
|     </rule> | ||||
|  | ||||
| </filter> | ||||
							
								
								
									
										3
									
								
								examples/xml/nwfilter/allow-incoming-ipv4.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								examples/xml/nwfilter/allow-incoming-ipv4.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| <filter name='allow-incoming-ipv4' chain='ipv4'> | ||||
|   <rule direction='in' action='accept'/> | ||||
| </filter> | ||||
							
								
								
									
										3
									
								
								examples/xml/nwfilter/allow-ipv4.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								examples/xml/nwfilter/allow-ipv4.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| <filter name='allow-ipv4' chain='ipv4'> | ||||
|   <rule direction='inout' action='accept'/> | ||||
| </filter> | ||||
							
								
								
									
										17
									
								
								examples/xml/nwfilter/clean-traffic.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								examples/xml/nwfilter/clean-traffic.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| <filter name='clean-traffic'> | ||||
|    <!-- An example of a traffic filter enforcing clean traffic | ||||
|         from a VM by | ||||
|       - preventing MAC spoofing --> | ||||
|    <filterref filter='no-mac-spoofing'/> | ||||
|  | ||||
|    <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming --> | ||||
|    <filterref filter='no-ip-spoofing'/> | ||||
|    <filterref filter='allow-incoming-ipv4'/> | ||||
|  | ||||
|    <!-- preventing ARP spoofing/poisoning --> | ||||
|    <filterref filter='no-arp-spoofing'/> | ||||
|  | ||||
|    <!-- preventing any other traffic than IPv4 and ARP --> | ||||
|    <filterref filter='no-other-l2-traffic'/> | ||||
|  | ||||
| </filter> | ||||
							
								
								
									
										29
									
								
								examples/xml/nwfilter/no-arp-spoofing.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								examples/xml/nwfilter/no-arp-spoofing.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,29 @@ | ||||
| <filter name='no-arp-spoofing' chain='arp'> | ||||
|    <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> | ||||
|  | ||||
|    <!-- no arp spoofing --> | ||||
|    <!-- drop if ipaddr or macaddr does not belong to guest --> | ||||
|    <rule action='drop' direction='out' priority='400' > | ||||
|        <arp match='no' arpsrcmacaddr='$MAC'/> | ||||
|    </rule> | ||||
|    <rule action='drop' direction='out' priority='400' > | ||||
|        <arp match='no' arpsrcipaddr='$IP' /> | ||||
|    </rule> | ||||
|    <!-- drop if ipaddr or macaddr odes not belong to guest --> | ||||
|    <rule action='drop' direction='in' priority='400' > | ||||
|        <arp match='no' arpdstmacaddr='$MAC'/> | ||||
|        <arp opcode='reply'/> | ||||
|    </rule> | ||||
|    <rule action='drop' direction='in' priority='400' > | ||||
|        <arp match='no' arpdstipaddr='$IP' /> | ||||
|    </rule> | ||||
|    <!-- accept only request or reply packets --> | ||||
|    <rule action='accept' direction='inout' priority='500' > | ||||
|        <arp opcode='request'/> | ||||
|    </rule> | ||||
|    <rule action='accept' direction='inout' priority='500' > | ||||
|        <arp opcode='reply'/> | ||||
|    </rule> | ||||
|    <!-- drop everything else --> | ||||
|    <rule action='drop' direction='inout' priority='1000' /> | ||||
| </filter> | ||||
							
								
								
									
										9
									
								
								examples/xml/nwfilter/no-ip-multicast.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								examples/xml/nwfilter/no-ip-multicast.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,9 @@ | ||||
| <filter name='no-ip-multicast' chain='ipv4'> | ||||
|  | ||||
|     <!-- drop if destination IP address is in the 224.0.0.0/4 subnet --> | ||||
|     <rule action='drop' direction='out'> | ||||
|         <ip dstipaddr='224.0.0.0' dstipmask='4' /> | ||||
|     </rule> | ||||
|  | ||||
|     <!-- not doing anything with receiving side ... --> | ||||
| </filter> | ||||
							
								
								
									
										7
									
								
								examples/xml/nwfilter/no-ip-spoofing.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								examples/xml/nwfilter/no-ip-spoofing.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| <filter name='no-ip-spoofing' chain='ipv4'> | ||||
|  | ||||
|     <!-- drop if srcipaddr is not the IP address of the guest --> | ||||
|     <rule action='drop' direction='out'> | ||||
|         <ip match='no' srcipaddr='$IP' /> | ||||
|     </rule> | ||||
| </filter> | ||||
							
								
								
									
										8
									
								
								examples/xml/nwfilter/no-mac-broadcast.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								examples/xml/nwfilter/no-mac-broadcast.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | ||||
| <filter name='no-mac-broadcast' chain='ipv4'> | ||||
|     <!-- drop if destination mac is bcast mac addr. --> | ||||
|     <rule action='drop' direction='out'> | ||||
|         <mac dstmacaddr='ff:ff:ff:ff:ff:ff' /> | ||||
|     </rule> | ||||
|  | ||||
|     <!-- not doing anything with receiving side ... --> | ||||
| </filter> | ||||
							
								
								
									
										5
									
								
								examples/xml/nwfilter/no-mac-spoofing.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								examples/xml/nwfilter/no-mac-spoofing.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | ||||
| <filter name='no-mac-spoofing' chain='ipv4'> | ||||
|   <rule action='drop' direction='out' priority='10'> | ||||
|       <mac match='no' srcmacaddr='$MAC' /> | ||||
|   </rule> | ||||
| </filter> | ||||
							
								
								
									
										7
									
								
								examples/xml/nwfilter/no-other-l2-traffic.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								examples/xml/nwfilter/no-other-l2-traffic.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| <filter name='no-other-l2-traffic'> | ||||
|  | ||||
|     <!-- drop all other l2 traffic than for which rules have been | ||||
|          written for; i.e., drop all other than arp and ipv4 traffic --> | ||||
|     <rule action='drop' direction='inout' priority='1000'/> | ||||
|  | ||||
| </filter> | ||||
		Reference in New Issue
	
	Block a user