The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6797
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From 6a09a3679fea2f15a97b5cdfe59821abf4045771 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 28 Jan 2020 16:54:32 +0100 Subject: [PATCH 1/2] lxd/devices: Remove dead xtables code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/device/nic_bridged.go | 95 --------------------------------------- 1 file changed, 95 deletions(-) diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go index 7633dac620..699caddf5a 100644 --- a/lxd/device/nic_bridged.go +++ b/lxd/device/nic_bridged.go @@ -462,68 +462,6 @@ func (d *nicBridged) getDHCPStaticIPs(network string, instanceName string) (dhcp return IPv4, IPv6, nil } -// generateFilterEbtablesRules returns a customised set of ebtables filter rules based on the device. -func (d *nicBridged) generateFilterEbtablesRules(m deviceConfig.Device, IPv4 net.IP, IPv6 net.IP) [][]string { - // MAC source filtering rules. Blocks any packet coming from instance with an incorrect Ethernet source MAC. - // This is required for IP filtering too. - rules := [][]string{ - {"ebtables", "-t", "filter", "-A", "INPUT", "-s", "!", m["hwaddr"], "-i", m["host_name"], "-j", "DROP"}, - {"ebtables", "-t", "filter", "-A", "FORWARD", "-s", "!", m["hwaddr"], "-i", m["host_name"], "-j", "DROP"}, - } - - if shared.IsTrue(m["security.ipv4_filtering"]) && IPv4 != nil { - rules = append(rules, - // Prevent ARP MAC spoofing (prevents the instance poisoning the ARP cache of its neighbours with a MAC address that isn't its own). - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j", "DROP"}, - // Prevent ARP IP spoofing (prevents the instance redirecting traffic for IPs that are not its own). - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"}, - // Allow DHCPv4 to the host only. This must come before the IP source filtering rules below. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-s", m["hwaddr"], "-i", m["host_name"], "--ip-src", "0.0.0.0", "--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j", "ACCEPT"}, - // IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", IPv4.String(), "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", IPv4.String(), "-j", "DROP"}, - ) - } - - if shared.IsTrue(m["security.ipv6_filtering"]) && IPv6 != nil { - rules = append(rules, - // Allow DHCPv6 and Router Solicitation to the host only. This must come before the IP source filtering rules below. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"}, - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"}, - // IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"}, - ) - } - - return rules -} - -// matchEbtablesRule compares an active rule to a supplied match rule to see if they match. -// If deleteMode is true then the "-A" flag in the active rule will be modified to "-D" and will -// not be part of the equality match. This allows delete commands to be generated from dumped add commands. -func (d *nicBridged) matchEbtablesRule(activeRule []string, matchRule []string, deleteMode bool) bool { - for i := range matchRule { - // Active rules will be dumped in "add" format, we need to detect - // this and switch it to "delete" mode if requested. If this has already been - // done then move on, as we don't want to break the comparison below. - if deleteMode && (activeRule[i] == "-A" || activeRule[i] == "-D") { - activeRule[i] = "-D" - continue - } - - // Check the match rule field matches the active rule field. - // If they don't match, then this isn't one of our rules. - if strings.Replace(activeRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) != strings.Replace(matchRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) { - return false - } - } - - return true -} - // setFilters sets up any network level filters defined for the instance. // These are controlled by the security.mac_filtering, security.ipv4_Filtering and security.ipv6_filtering config keys. func (d *nicBridged) setFilters() (err error) { @@ -712,39 +650,6 @@ func (d *nicBridged) allocateFilterIPs(netConfig map[string]string) (net.IP, net return IPv4, IPv6, nil } -// generateFilterIptablesRules returns a customised set of iptables filter rules based on the device. -func (d *nicBridged) generateFilterIptablesRules(m deviceConfig.Device, IPv6 net.IP) (rules [][]string, err error) { - mac, err := net.ParseMAC(m["hwaddr"]) - if err != nil { - return - } - - macHex := hex.EncodeToString(mac) - - // These rules below are implemented using ip6tables because the functionality to inspect - // the contents of an ICMPv6 packet does not exist in ebtables (unlike for IPv4 ARP). - // Additionally, ip6tables doesn't really provide a nice way to do what we need here, so we - // have resorted to doing a raw hex comparison of the packet contents at fixed positions. - // If these rules are not added then it is possible to hijack traffic for another IP that is - // not assigned to the instance by sending a specially crafted gratuitous NDP packet with - // correct source address and MAC at the IP & ethernet layers, but a fraudulent IP or MAC - // inside the ICMPv6 NDP packet. - if shared.IsTrue(m["security.ipv6_filtering"]) && IPv6 != nil { - ipv6Hex := hex.EncodeToString(IPv6) - - rules = append(rules, - // Prevent Neighbor Advertisement IP spoofing (prevents the instance redirecting traffic for IPs that are not its own). - []string{"ipv6", "INPUT", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", ipv6Hex), "--algo", "bm", "--from", "48", "--to", "64", "-j", "DROP"}, - []string{"ipv6", "FORWARD", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", ipv6Hex), "--algo", "bm", "--from", "48", "--to", "64", "-j", "DROP"}, - // Prevent Neighbor Advertisement MAC spoofing (prevents the instance poisoning the NDP cache of its neighbours with a MAC address that isn't its own). - []string{"ipv6", "INPUT", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", macHex), "--algo", "bm", "--from", "66", "--to", "72", "-j", "DROP"}, - []string{"ipv6", "FORWARD", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", macHex), "--algo", "bm", "--from", "66", "--to", "72", "-j", "DROP"}, - ) - } - - return -} - // networkDHCPv4Ranges returns a parsed set of DHCPv4 ranges for a particular network. func (d *nicBridged) networkDHCPv4Ranges(netConfig map[string]string) []dhcpRange { dhcpRanges := make([]dhcpRange, 0) From fb5073eaa435fa266978aa48601fd82b7ffd0a62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 28 Jan 2020 17:01:05 +0100 Subject: [PATCH 2/2] lxd/iptables: Fix matching of IPv6 link-local MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/iptables/xtables.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lxd/iptables/xtables.go b/lxd/iptables/xtables.go index 9c06a926bd..5b7c86a332 100644 --- a/lxd/iptables/xtables.go +++ b/lxd/iptables/xtables.go @@ -330,9 +330,15 @@ func matchEbtablesRule(activeRule []string, matchRule []string, deleteMode bool) continue } + // Mangle to line up with different versions of ebtables. + active := strings.Replace(activeRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) + match := strings.Replace(matchRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) + active = strings.Replace(active, "fe80::/ffc0::", "fe80::/10", -1) + match = strings.Replace(match, "fe80::/ffc0::", "fe80::/10", -1) + // Check the match rule field matches the active rule field. // If they don't match, then this isn't one of our rules. - if strings.Replace(activeRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) != strings.Replace(matchRule[i], "/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "", -1) { + if active != match { return false } }
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel