[Users] [TRD] IP and MAC filtering for VMs

Maxim Perevedentsev mperevedentsev at virtuozzo.com
Wed Apr 6 05:36:34 PDT 2016 

*1. Feature

*IP and MAC filtering for VMs
(for containers, it already works).

*2. Description*

The filters are following:

*a) IP spoofing protection:*
Drops packets from guest with source IP address different from the 
guest's ones.
This filter works only all of the following is true:
- dhcp for VM is OFF
- AutoApply for VM is ON
- VM has non-empty list of IP addresses

It is set by:
/prlctl set VM --de//vice-set net0 --ipfilter yes/

Which is translated to libvirt xml:
<filterref filter='no-ip-spoofing'>
     <parameter name='IP' value='10.30.23.132'/>
</filterref>

*b) MAC spoofing protection:*
Drops packets from guest with source MAC address different from the 
guest's ones.

It is set by:
/prlctl set VM --de//vice-set net0 --macfilter yes/

Which is translated to libvirt xml:
<filterref filter='no-mac-spoofing'>
     <parameter name='MAC' value='00:1C:42:3D:04:66'/>
</filterref>

There was a bug that guest bonding was incompatible with macfilter
due to packets with bond's MAC (possibly different from iface MAC)
were dropped on interface. This was fixed by adding *all* of host's
MACs as filter parameters.

*c) Promiscuous mode protection:*
Drops packets to guest with target MAC address different from the 
guest's ones
and not broadcast.

It is set by:
/prlctl set VM --de//vice-set net0 --preventpromisc yes/

Which is translated to libvirt xml:
<filterref filter='no-promisc'>
     <parameter name='MAC' value='00:1C:42:3D:04:66'/>
</filterref>

*
**Other notes:*
For IP and MAC spoofing protection, libvirt's standard filters were used.
To combine the filters, we added several filters to libvirt 
(/etc/libvirt/nwfilter/*.xml).
The added filters are:
no-promisc
no-ip-spoofing-no-mac-spoofing-no-promisc
no-ip-spoofing-no-mac-spoofing
no-ip-spoofing-no-promisc
no-mac-spoofing-no-promisc

They are shipped as part of prl-disp-service package.

For now (bridged interfaces only) the filters are implemented using
ebtables' NAT table.

To check them set up one may use /ebtables-save/ command.

*3. Products*

Virtuozzo 7

Packages:*
*

  * prl-disp-service >= 7.0.318
  * libprlxmlmodel >= 7.0.19

*4. Known issues
*

  * IPv6 filters are not implemented by now

-- 
Your sincerely,
Maxim Perevedentsev



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20160406/700d5e85/attachment.html>

More information about the Users mailing list