The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6797
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From 6a09a3679fea2f15a97b5cdfe59821abf4045771 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 28 Jan 2020 16:54:32 +0100
Subject: [PATCH 1/2] lxd/devices: Remove dead xtables code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/device/nic_bridged.go | 95 ---------------------------------------
1 file changed, 95 deletions(-)
diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index 7633dac620..699caddf5a 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -462,68 +462,6 @@ func (d *nicBridged) getDHCPStaticIPs(network string,
instanceName string) (dhcp
return IPv4, IPv6, nil
}
-// generateFilterEbtablesRules returns a customised set of ebtables filter
rules based on the device.
-func (d *nicBridged) generateFilterEbtablesRules(m deviceConfig.Device, IPv4
net.IP, IPv6 net.IP) [][]string {
- // MAC source filtering rules. Blocks any packet coming from instance
with an incorrect Ethernet source MAC.
- // This is required for IP filtering too.
- rules := [][]string{
- {"ebtables", "-t", "filter", "-A", "INPUT", "-s", "!",
m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
- {"ebtables", "-t", "filter", "-A", "FORWARD", "-s", "!",
m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
- }
-
- if shared.IsTrue(m["security.ipv4_filtering"]) && IPv4 != nil {
- rules = append(rules,
- // Prevent ARP MAC spoofing (prevents the instance
poisoning the ARP cache of its neighbours with a MAC address that isn't its
own).
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j",
"DROP"},
- // Prevent ARP IP spoofing (prevents the instance
redirecting traffic for IPs that are not its own).
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", IPv4.String(), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", IPv4.String(), "-j",
"DROP"},
- // Allow DHCPv4 to the host only. This must come before
the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv4", "-s", m["hwaddr"], "-i", m["host_name"], "--ip-src", "0.0.0.0",
"--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j",
"ACCEPT"},
- // IP source filtering rules. Blocks any packet coming
from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", IPv4.String(), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", IPv4.String(), "-j",
"DROP"},
- )
- }
-
- if shared.IsTrue(m["security.ipv6_filtering"]) && IPv6 != nil {
- rules = append(rules,
- // Allow DHCPv6 and Router Solicitation to the host
only. This must come before the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src",
"fe80::/ffc0::", "--ip6-dst",
"ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp",
"--ip6-dport", "547", "-j", "ACCEPT"},
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src",
"fe80::/ffc0::", "--ip6-dst",
"ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp",
"--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
- // IP source filtering rules. Blocks any packet coming
from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
- )
- }
-
- return rules
-}
-
-// matchEbtablesRule compares an active rule to a supplied match rule to see
if they match.
-// If deleteMode is true then the "-A" flag in the active rule will be
modified to "-D" and will
-// not be part of the equality match. This allows delete commands to be
generated from dumped add commands.
-func (d *nicBridged) matchEbtablesRule(activeRule []string, matchRule
[]string, deleteMode bool) bool {
- for i := range matchRule {
- // Active rules will be dumped in "add" format, we need to
detect
- // this and switch it to "delete" mode if requested. If this
has already been
- // done then move on, as we don't want to break the comparison
below.
- if deleteMode && (activeRule[i] == "-A" || activeRule[i] ==
"-D") {
- activeRule[i] = "-D"
- continue
- }
-
- // Check the match rule field matches the active rule field.
- // If they don't match, then this isn't one of our rules.
- if strings.Replace(activeRule[i],
"/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) !=
strings.Replace(matchRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "",
-1) {
- return false
- }
- }
-
- return true
-}
-
// setFilters sets up any network level filters defined for the instance.
// These are controlled by the security.mac_filtering, security.ipv4_Filtering
and security.ipv6_filtering config keys.
func (d *nicBridged) setFilters() (err error) {
@@ -712,39 +650,6 @@ func (d *nicBridged) allocateFilterIPs(netConfig
map[string]string) (net.IP, net
return IPv4, IPv6, nil
}
-// generateFilterIptablesRules returns a customised set of iptables filter
rules based on the device.
-func (d *nicBridged) generateFilterIptablesRules(m deviceConfig.Device, IPv6
net.IP) (rules [][]string, err error) {
- mac, err := net.ParseMAC(m["hwaddr"])
- if err != nil {
- return
- }
-
- macHex := hex.EncodeToString(mac)
-
- // These rules below are implemented using ip6tables because the
functionality to inspect
- // the contents of an ICMPv6 packet does not exist in ebtables (unlike
for IPv4 ARP).
- // Additionally, ip6tables doesn't really provide a nice way to do what
we need here, so we
- // have resorted to doing a raw hex comparison of the packet contents
at fixed positions.
- // If these rules are not added then it is possible to hijack traffic
for another IP that is
- // not assigned to the instance by sending a specially crafted
gratuitous NDP packet with
- // correct source address and MAC at the IP & ethernet layers, but a
fraudulent IP or MAC
- // inside the ICMPv6 NDP packet.
- if shared.IsTrue(m["security.ipv6_filtering"]) && IPv6 != nil {
- ipv6Hex := hex.EncodeToString(IPv6)
-
- rules = append(rules,
- // Prevent Neighbor Advertisement IP spoofing (prevents
the instance redirecting traffic for IPs that are not its own).
- []string{"ipv6", "INPUT", "-i", m["parent"], "-p",
"ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6",
"--icmpv6-type", "136", "-m", "string", "!", "--hex-string",
fmt.Sprintf("|%s|", ipv6Hex), "--algo", "bm", "--from", "48", "--to", "64",
"-j", "DROP"},
- []string{"ipv6", "FORWARD", "-i", m["parent"], "-p",
"ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6",
"--icmpv6-type", "136", "-m", "string", "!", "--hex-string",
fmt.Sprintf("|%s|", ipv6Hex), "--algo", "bm", "--from", "48", "--to", "64",
"-j", "DROP"},
- // Prevent Neighbor Advertisement MAC spoofing
(prevents the instance poisoning the NDP cache of its neighbours with a MAC
address that isn't its own).
- []string{"ipv6", "INPUT", "-i", m["parent"], "-p",
"ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6",
"--icmpv6-type", "136", "-m", "string", "!", "--hex-string",
fmt.Sprintf("|%s|", macHex), "--algo", "bm", "--from", "66", "--to", "72",
"-j", "DROP"},
- []string{"ipv6", "FORWARD", "-i", m["parent"], "-p",
"ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6",
"--icmpv6-type", "136", "-m", "string", "!", "--hex-string",
fmt.Sprintf("|%s|", macHex), "--algo", "bm", "--from", "66", "--to", "72",
"-j", "DROP"},
- )
- }
-
- return
-}
-
// networkDHCPv4Ranges returns a parsed set of DHCPv4 ranges for a particular
network.
func (d *nicBridged) networkDHCPv4Ranges(netConfig map[string]string)
[]dhcpRange {
dhcpRanges := make([]dhcpRange, 0)
From fb5073eaa435fa266978aa48601fd82b7ffd0a62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 28 Jan 2020 17:01:05 +0100
Subject: [PATCH 2/2] lxd/iptables: Fix matching of IPv6 link-local
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/iptables/xtables.go | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lxd/iptables/xtables.go b/lxd/iptables/xtables.go
index 9c06a926bd..5b7c86a332 100644
--- a/lxd/iptables/xtables.go
+++ b/lxd/iptables/xtables.go
@@ -330,9 +330,15 @@ func matchEbtablesRule(activeRule []string, matchRule
[]string, deleteMode bool)
continue
}
+ // Mangle to line up with different versions of ebtables.
+ active := strings.Replace(activeRule[i],
"/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1)
+ match := strings.Replace(matchRule[i],
"/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1)
+ active = strings.Replace(active, "fe80::/ffc0::", "fe80::/10",
-1)
+ match = strings.Replace(match, "fe80::/ffc0::", "fe80::/10", -1)
+
// Check the match rule field matches the active rule field.
// If they don't match, then this isn't one of our rules.
- if strings.Replace(activeRule[i],
"/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) !=
strings.Replace(matchRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "",
-1) {
+ if active != match {
return false
}
}
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
