[Users] [TRD] IP and MAC filtering for VMs
Maxim Perevedentsev
mperevedentsev at virtuozzo.com
Wed Apr 6 05:36:34 PDT 2016
*1. Feature
*IP and MAC filtering for VMs
(for containers, it already works).
*2. Description*
The filters are following:
*a) IP spoofing protection:*
Drops packets from guest with source IP address different from the
guest's ones.
This filter works only all of the following is true:
- dhcp for VM is OFF
- AutoApply for VM is ON
- VM has non-empty list of IP addresses
It is set by:
/prlctl set VM --de//vice-set net0 --ipfilter yes/
Which is translated to libvirt xml:
<filterref filter='no-ip-spoofing'>
<parameter name='IP' value='10.30.23.132'/>
</filterref>
*b) MAC spoofing protection:*
Drops packets from guest with source MAC address different from the
guest's ones.
It is set by:
/prlctl set VM --de//vice-set net0 --macfilter yes/
Which is translated to libvirt xml:
<filterref filter='no-mac-spoofing'>
<parameter name='MAC' value='00:1C:42:3D:04:66'/>
</filterref>
There was a bug that guest bonding was incompatible with macfilter
due to packets with bond's MAC (possibly different from iface MAC)
were dropped on interface. This was fixed by adding *all* of host's
MACs as filter parameters.
*c) Promiscuous mode protection:*
Drops packets to guest with target MAC address different from the
guest's ones
and not broadcast.
It is set by:
/prlctl set VM --de//vice-set net0 --preventpromisc yes/
Which is translated to libvirt xml:
<filterref filter='no-promisc'>
<parameter name='MAC' value='00:1C:42:3D:04:66'/>
</filterref>
*
**Other notes:*
For IP and MAC spoofing protection, libvirt's standard filters were used.
To combine the filters, we added several filters to libvirt
(/etc/libvirt/nwfilter/*.xml).
The added filters are:
no-promisc
no-ip-spoofing-no-mac-spoofing-no-promisc
no-ip-spoofing-no-mac-spoofing
no-ip-spoofing-no-promisc
no-mac-spoofing-no-promisc
They are shipped as part of prl-disp-service package.
For now (bridged interfaces only) the filters are implemented using
ebtables' NAT table.
To check them set up one may use /ebtables-save/ command.
*3. Products*
Virtuozzo 7
Packages:*
*
* prl-disp-service >= 7.0.318
* libprlxmlmodel >= 7.0.19
*4. Known issues
*
* IPv6 filters are not implemented by now
--
Your sincerely,
Maxim Perevedentsev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20160406/700d5e85/attachment.html>
More information about the Users
mailing list