[lxc-devel] [lxd/stable-2.0] Optional firewall
simondeziel on Github
lxc-bot at linuxcontainers.org
Fri Nov 25 20:00:01 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 403 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161125/0bf09386/attachment.bin>
-------------- next part --------------
From 6ab0eda8bc310dcafa5a90b9bccc6b6130c77ffd Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel at gmail.com>
Date: Fri, 25 Nov 2016 14:34:55 -0500
Subject: [PATCH 1/3] DHCP happens over UDP only
Signed-off-by: Simon Deziel <simon.deziel at gmail.com>
---
lxd-bridge/lxd-bridge | 2 --
1 file changed, 2 deletions(-)
diff --git a/lxd-bridge/lxd-bridge b/lxd-bridge/lxd-bridge
index 14d8f4d..0fa4ceb 100755
--- a/lxd-bridge/lxd-bridge
+++ b/lxd-bridge/lxd-bridge
@@ -138,7 +138,6 @@ start() {
fi
iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p udp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
- iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p tcp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p udp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p tcp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables "${use_iptables_lock}" -I FORWARD -i "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
@@ -184,7 +183,6 @@ stop() {
if [ -d /sys/class/net/${LXD_BRIDGE} ]; then
ifdown ${LXD_BRIDGE}
iptables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p udp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
- iptables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p tcp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p udp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p tcp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables ${use_iptables_lock} -D FORWARD -i ${LXD_BRIDGE} -j ACCEPT -m comment --comment "managed by lxd-bridge"
From 60809c80d23b1c79032b2a782faf86400e43ece8 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel at gmail.com>
Date: Fri, 25 Nov 2016 14:43:47 -0500
Subject: [PATCH 2/3] Make IPv4 firewalling optional (default is enabled)
Signed-off-by: Simon Deziel <simon.deziel at gmail.com>
---
lxd-bridge/lxd-bridge | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/lxd-bridge/lxd-bridge b/lxd-bridge/lxd-bridge
index 0fa4ceb..609c551 100755
--- a/lxd-bridge/lxd-bridge
+++ b/lxd-bridge/lxd-bridge
@@ -19,6 +19,7 @@ LXD_IPV4_NETWORK=""
LXD_IPV4_DHCP_RANGE=""
LXD_IPV4_DHCP_MAX=""
LXD_IPV4_NAT="false"
+LXD_IPV4_FIREWALL="true"
# IPv6
LXD_IPV6_ADDR=""
@@ -140,8 +141,10 @@ start() {
iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p udp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p udp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p tcp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
- iptables "${use_iptables_lock}" -I FORWARD -i "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
- iptables "${use_iptables_lock}" -I FORWARD -o "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ if [ "${LXD_IPV4_FIREWALL}" = "true" ]; then
+ iptables "${use_iptables_lock}" -I FORWARD -i "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ iptables "${use_iptables_lock}" -I FORWARD -o "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ fi
iptables "${use_iptables_lock}" -t mangle -A POSTROUTING -o "${LXD_BRIDGE}" -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -m comment --comment "managed by lxd-bridge"
LXD_DOMAIN_ARG=""
@@ -185,8 +188,10 @@ stop() {
iptables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p udp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p udp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
iptables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p tcp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
- iptables ${use_iptables_lock} -D FORWARD -i ${LXD_BRIDGE} -j ACCEPT -m comment --comment "managed by lxd-bridge"
- iptables ${use_iptables_lock} -D FORWARD -o ${LXD_BRIDGE} -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ if [ "${LXD_IPV4_FIREWALL}" = "true" ]; then
+ iptables ${use_iptables_lock} -D FORWARD -i ${LXD_BRIDGE} -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ iptables ${use_iptables_lock} -D FORWARD -o ${LXD_BRIDGE} -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ fi
iptables ${use_iptables_lock} -t mangle -D POSTROUTING -o ${LXD_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -m comment --comment "managed by lxd-bridge"
if [ -n "${LXD_IPV4_NETWORK}" ] && [ "${LXD_IPV4_NAT}" = "true" ]; then
From 392f2694f9c603241a618565a1bd9f7a801212db Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel at gmail.com>
Date: Fri, 25 Nov 2016 14:53:35 -0500
Subject: [PATCH 3/3] Add ip6tables filter rules
Signed-off-by: Simon Deziel <simon.deziel at gmail.com>
---
lxd-bridge/lxd-bridge | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/lxd-bridge/lxd-bridge b/lxd-bridge/lxd-bridge
index 609c551..219efb5 100755
--- a/lxd-bridge/lxd-bridge
+++ b/lxd-bridge/lxd-bridge
@@ -26,6 +26,7 @@ LXD_IPV6_ADDR=""
LXD_IPV6_MASK=""
LXD_IPV6_NETWORK=""
LXD_IPV6_NAT="false"
+LXD_IPV6_FIREWALL="true"
LXD_IPV6_PROXY="true"
# shellcheck disable=SC1090
@@ -147,6 +148,16 @@ start() {
fi
iptables "${use_iptables_lock}" -t mangle -A POSTROUTING -o "${LXD_BRIDGE}" -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -m comment --comment "managed by lxd-bridge"
+ if [ "${HAS_IPV6}" = "true" ]; then
+ ip6tables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p udp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ ip6tables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p udp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ ip6tables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p tcp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ if [ "${LXD_IPV6_FIREWALL}" = "true" ]; then
+ ip6tables "${use_iptables_lock}" -I FORWARD -i "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ ip6tables "${use_iptables_lock}" -I FORWARD -o "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ fi
+ fi
+
LXD_DOMAIN_ARG=""
if [ -n "${LXD_DOMAIN}" ]; then
LXD_DOMAIN_ARG="-s ${LXD_DOMAIN} -S /${LXD_DOMAIN}/"
@@ -198,6 +209,16 @@ stop() {
iptables ${use_iptables_lock} -t nat -D POSTROUTING -s ${LXD_IPV4_NETWORK} ! -d ${LXD_IPV4_NETWORK} -j MASQUERADE -m comment --comment "managed by lxd-bridge"
fi
+ if [ "${HAS_IPV6}" = "true" ]; then
+ ip6tables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p udp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ ip6tables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p udp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ ip6tables ${use_iptables_lock} -D INPUT -i ${LXD_BRIDGE} -p tcp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ if [ "${LXD_IPV6_FIREWALL}" = "true" ]; then
+ ip6tables ${use_iptables_lock} -D FORWARD -i ${LXD_BRIDGE} -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ ip6tables ${use_iptables_lock} -D FORWARD -o ${LXD_BRIDGE} -j ACCEPT -m comment --comment "managed by lxd-bridge"
+ fi
+ fi
+
if [ "${HAS_IPV6}" = "true" ] && [ -n "${LXD_IPV6_NETWORK}" ] && [ "${LXD_IPV6_NAT}" = "true" ]; then
ip6tables ${use_iptables_lock} -t nat -D POSTROUTING -s ${LXD_IPV6_NETWORK} ! -d ${LXD_IPV6_NETWORK} -j MASQUERADE -m comment --comment "managed by lxd-bridge"
fi
More information about the lxc-devel
mailing list