SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
python tests po examples/domain-events/events-c examples/hellolibvirt \
- examples/dominfo examples/domsuspend examples/python examples/apparmor
+ examples/dominfo examples/domsuspend examples/python examples/apparmor \
+ examples/xml/nwfilter
ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4
examples/domsuspend/Makefile \
examples/dominfo/Makefile \
examples/python/Makefile \
- examples/hellolibvirt/Makefile)
+ examples/hellolibvirt/Makefile \
+ examples/xml/nwfilter/Makefile)
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Configuration summary])
--- /dev/null
+
+FILTERS = \
+ allow-arp.xml \
+ allow-dhcp-server.xml \
+ allow-dhcp.xml \
+ allow-incoming-ipv4.xml \
+ allow-ipv4.xml \
+ clean-traffic.xml \
+ no-arp-spoofing.xml \
+ no-ip-multicast.xml \
+ no-ip-spoofing.xml \
+ no-mac-broadcast.xml \
+ no-mac-spoofing.xml \
+ no-other-l2-traffic.xml
+
+confdir = $(sysconfdir)/libvirt
+
+NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
+
+install-data-local:
+ $(MKDIR_P) "$(NWFILTER_DIR)"
+ for f in $(FILTERS); do \
+ $(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
+ done
+
+uninstall-local::
+ for f in $(FILTERS); do \
+ rm -f "$(NWFILTER_DIR)/$$f"; \
+ done
+ -test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR)
--- /dev/null
+<filter name='allow-arp' chain='arp'>
+ <rule direction='inout' action='accept'/>
+</filter>
--- /dev/null
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- note, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from a specific DHCP server
+ parameter DHPCSERVER needs to be passed from where this filter is
+ referenced -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip srcipaddr='$DHCPSERVER'
+ protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
+
+</filter>
--- /dev/null
+<filter name='allow-dhcp' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- not, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from any DHCP server -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
+
+</filter>
--- /dev/null
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+ <rule direction='in' action='accept'/>
+</filter>
--- /dev/null
+<filter name='allow-ipv4' chain='ipv4'>
+ <rule direction='inout' action='accept'/>
+</filter>
--- /dev/null
+<filter name='clean-traffic'>
+ <!-- An example of a traffic filter enforcing clean traffic
+ from a VM by
+ - preventing MAC spoofing -->
+ <filterref filter='no-mac-spoofing'/>
+
+ <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+ <filterref filter='no-ip-spoofing'/>
+ <filterref filter='allow-incoming-ipv4'/>
+
+ <!-- preventing ARP spoofing/poisoning -->
+ <filterref filter='no-arp-spoofing'/>
+
+ <!-- preventing any other traffic than IPv4 and ARP -->
+ <filterref filter='no-other-l2-traffic'/>
+
+</filter>
--- /dev/null
+<filter name='no-arp-spoofing' chain='arp'>
+ <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
+
+ <!-- no arp spoofing -->
+ <!-- drop if ipaddr or macaddr does not belong to guest -->
+ <rule action='drop' direction='out' priority='400' >
+ <arp match='no' arpsrcmacaddr='$MAC'/>
+ </rule>
+ <rule action='drop' direction='out' priority='400' >
+ <arp match='no' arpsrcipaddr='$IP' />
+ </rule>
+ <!-- drop if ipaddr or macaddr odes not belong to guest -->
+ <rule action='drop' direction='in' priority='400' >
+ <arp match='no' arpdstmacaddr='$MAC'/>
+ <arp opcode='reply'/>
+ </rule>
+ <rule action='drop' direction='in' priority='400' >
+ <arp match='no' arpdstipaddr='$IP' />
+ </rule>
+ <!-- accept only request or reply packets -->
+ <rule action='accept' direction='inout' priority='500' >
+ <arp opcode='request'/>
+ </rule>
+ <rule action='accept' direction='inout' priority='500' >
+ <arp opcode='reply'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='inout' priority='1000' />
+</filter>
--- /dev/null
+<filter name='no-ip-multicast' chain='ipv4'>
+
+ <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+ <rule action='drop' direction='out'>
+ <ip dstipaddr='224.0.0.0' dstipmask='4' />
+ </rule>
+
+ <!-- not doing anything with receiving side ... -->
+</filter>
--- /dev/null
+<filter name='no-ip-spoofing' chain='ipv4'>
+
+ <!-- drop if srcipaddr is not the IP address of the guest -->
+ <rule action='drop' direction='out'>
+ <ip match='no' srcipaddr='$IP' />
+ </rule>
+</filter>
--- /dev/null
+<filter name='no-mac-broadcast' chain='ipv4'>
+ <!-- drop if destination mac is bcast mac addr. -->
+ <rule action='drop' direction='out'>
+ <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+ </rule>
+
+ <!-- not doing anything with receiving side ... -->
+</filter>
--- /dev/null
+<filter name='no-mac-spoofing' chain='ipv4'>
+ <rule action='drop' direction='out' priority='10'>
+ <mac match='no' srcmacaddr='$MAC' />
+ </rule>
+</filter>
--- /dev/null
+<filter name='no-other-l2-traffic'>
+
+ <!-- drop all other l2 traffic than for which rules have been
+ written for; i.e., drop all other than arp and ipv4 traffic -->
+ <rule action='drop' direction='inout' priority='1000'/>
+
+</filter>
projects / libvirt.git / commitdiff