<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-forward-container">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<b>1. Feature<br>
<br>
</b>IP and MAC filtering for VMs<br>
(for containers, it already works).<br>
<br>
<b>2. Description</b><br>
<br>
The filters are following:<br>
<br>
<b>a) IP spoofing protection:</b><br>
Drops packets from guest with source IP address different from the
guest's ones.<br>
This filter works only all of the following is true:<br>
- dhcp for VM is OFF<br>
- AutoApply for VM is ON<br>
- VM has non-empty list of IP addresses<br>
<br>
It is set by:<br>
<i>prlctl set VM --de</i><i>vice-set net0 --ipfilter yes</i><br>
<br>
Which is translated to libvirt xml:<br>
<filterref filter='no-ip-spoofing'><br>
<parameter name='IP' value='10.30.23.132'/><br>
</filterref><br>
<br>
<b>b) MAC spoofing protection:</b><br>
Drops packets from guest with source MAC address different from
the guest's ones.<br>
<br>
It is set by:<br>
<i>prlctl set VM --de</i><i>vice-set net0 --macfilter yes</i><br>
<br>
Which is translated to libvirt xml:<br>
<filterref filter='no-mac-spoofing'><br>
<parameter name='MAC' value='00:1C:42:3D:04:66'/><br>
</filterref><br>
<br>
There was a bug that guest bonding was incompatible with macfilter<br>
due to packets with bond's MAC (possibly different from iface MAC)<br>
were dropped on interface. This was fixed by adding *all* of
host's<br>
MACs as filter parameters.<br>
<br>
<b>c) Promiscuous mode protection:</b><br>
Drops packets to guest with target MAC address different from the
guest's ones<br>
and not broadcast.<br>
<br>
It is set by:<br>
<i>prlctl set VM --de</i><i>vice-set net0 --preventpromisc yes</i><br>
<br>
Which is translated to libvirt xml:<br>
<filterref filter='no-promisc'><br>
<parameter name='MAC' value='00:1C:42:3D:04:66'/><br>
</filterref><br>
<br>
<b><br>
</b><b>Other notes:</b><br>
For IP and MAC spoofing protection, libvirt's standard filters
were used.<br>
To combine the filters, we added several filters to libvirt
(/etc/libvirt/nwfilter/*.xml).<br>
The added filters are:<br>
no-promisc<br>
no-ip-spoofing-no-mac-spoofing-no-promisc<br>
no-ip-spoofing-no-mac-spoofing<br>
no-ip-spoofing-no-promisc<br>
no-mac-spoofing-no-promisc<br>
<br>
They are shipped as part of prl-disp-service package.<br>
<br>
For now (bridged interfaces only) the filters are implemented
using<br>
ebtables' NAT table.<br>
<br>
To check them set up one may use <i>ebtables-save</i> command.<br>
<br>
<b>3. Products</b><br>
<br>
Virtuozzo 7<br>
<br>
Packages:<b><br>
</b>
<ul>
<li>prl-disp-service >= 7.0.318</li>
<li>libprlxmlmodel >= 7.0.19<br>
</li>
</ul>
<p><b>4. Known issues<br>
</b></p>
<ul>
<li> IPv6 filters are not implemented by now</li>
</ul>
<p><span id="OLK_SRC_BODY_SECTION"> </span></p>
<pre class="moz-signature" cols="72">--
Your sincerely,
Maxim Perevedentsev</pre>
<br>
</div>
<br>
</body>
</html>