[Users] [TRD] IP and MAC filtering for VMs

Wed, 06 Apr 2016 06:59:04 -0700 


*1. Feature

*IP and MAC filtering for VMs
(for containers, it already works).

*2. Description*

The filters are following:

*a) IP spoofing protection:*
Drops packets from guest with source IP address different from the guest's ones. 
This filter works only all of the following is true:
- dhcp for VM is OFF
- AutoApply for VM is ON
- VM has non-empty list of IP addresses

It is set by:
/prlctl set VM --de//vice-set net0 --ipfilter yes/

Which is translated to libvirt xml:
<filterref filter='no-ip-spoofing'>
    <parameter name='IP' value='10.30.23.132'/>
</filterref>

*b) MAC spoofing protection:*
Drops packets from guest with source MAC address different from the guest's ones. 

It is set by:
/prlctl set VM --de//vice-set net0 --macfilter yes/

Which is translated to libvirt xml:
<filterref filter='no-mac-spoofing'>
    <parameter name='MAC' value='00:1C:42:3D:04:66'/>
</filterref>

There was a bug that guest bonding was incompatible with macfilter
due to packets with bond's MAC (possibly different from iface MAC)
were dropped on interface. This was fixed by adding *all* of host's
MACs as filter parameters.

*c) Promiscuous mode protection:*
Drops packets to guest with target MAC address different from the guest's ones 
and not broadcast.

It is set by:
/prlctl set VM --de//vice-set net0 --preventpromisc yes/

Which is translated to libvirt xml:
<filterref filter='no-promisc'>
    <parameter name='MAC' value='00:1C:42:3D:04:66'/>
</filterref>

*
**Other notes:*
For IP and MAC spoofing protection, libvirt's standard filters were used.
To combine the filters, we added several filters to libvirt (/etc/libvirt/nwfilter/*.xml). 
The added filters are:
no-promisc
no-ip-spoofing-no-mac-spoofing-no-promisc
no-ip-spoofing-no-mac-spoofing
no-ip-spoofing-no-promisc
no-mac-spoofing-no-promisc

They are shipped as part of prl-disp-service package.

For now (bridged interfaces only) the filters are implemented using
ebtables' NAT table.

To check them set up one may use /ebtables-save/ command.

*3. Products*

Virtuozzo 7

Packages:*
*

 * prl-disp-service >= 7.0.318
 * libprlxmlmodel >= 7.0.19

*4. Known issues
*

 * IPv6 filters are not implemented by now

--
Your sincerely,
Maxim Perevedentsev




_______________________________________________
Users mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/users

Reply via email to