[lxc-devel] [lxd/master] IP filtering (isolation mode)

tomponline on Github lxc-bot at linuxcontainers.org
Wed Jun 19 16:30:13 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190619/93c8c17c/attachment.bin>
-------------- next part --------------
From c9724060a740dc51f66011e618df2c0853825657 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 19 Jun 2019 17:27:47 +0100
Subject: [PATCH 1/2] container: Adds security.ipv4_filtering and
 security.ipv6_filtering nic device keys

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/container.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lxd/container.go b/lxd/container.go
index a526d2bee6..d0534e5457 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -154,6 +154,10 @@ func containerValidDeviceConfigKey(t, k string) bool {
 			return true
 		case "security.mac_filtering":
 			return true
+		case "security.ipv4_filtering":
+			return true
+		case "security.ipv6_filtering":
+			return true
 		case "maas.subnet.ipv4":
 			return true
 		case "maas.subnet.ipv6":

From a0f0b9a99c17c9b6f8f997ab3413ff4911404fa7 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 19 Jun 2019 17:28:43 +0100
Subject: [PATCH 2/2] container/lxc: Changes createNetworkFilter to accept
 device config

Lays groundwork for IP filtering mode.

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/container_lxc.go | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 7e1fc70563..170df88702 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1718,7 +1718,7 @@ func (c *containerLXC) initLXC(config bool) error {
 			vethName := ""
 			if m["host_name"] != "" && m["nictype"] != "sriov" {
 				vethName = m["host_name"]
-			} else if shared.IsTrue(m["security.mac_filtering"]) {
+			} else if c.networkConfigHasFiltering(m) {
 				// We need a known device name for MAC filtering
 				vethName = deviceNextVeth()
 			}
@@ -2530,7 +2530,7 @@ func (c *containerLXC) startCommon() (string, error) {
 				}
 			}
 
-			if m["nictype"] == "bridged" && shared.IsTrue(m["security.mac_filtering"]) {
+			if m["nictype"] == "bridged" && c.networkConfigHasFiltering(m) {
 				// Read device name from config
 				vethName := ""
 				for i := 0; i < len(c.c.ConfigItem(networkKeyPrefix)); i++ {
@@ -2554,10 +2554,10 @@ func (c *containerLXC) startCommon() (string, error) {
 				}
 
 				if vethName == "" {
-					return "", fmt.Errorf("Failed to find device name for mac_filtering")
+					return "", fmt.Errorf("Failed to find device name for network filtering")
 				}
 
-				err = c.createNetworkFilter(vethName, m["parent"], m["hwaddr"])
+				err = c.createNetworkFilter(vethName, m)
 				if err != nil {
 					return "", err
 				}
@@ -8379,8 +8379,8 @@ func (c *containerLXC) createNetworkDevice(name string, m types.Device) (string,
 	}
 
 	// Set the filter
-	if m["nictype"] == "bridged" && shared.IsTrue(m["security.mac_filtering"]) {
-		err = c.createNetworkFilter(dev, m["parent"], m["hwaddr"])
+	if m["nictype"] == "bridged" && c.networkConfigHasFiltering(m) {
+		err = c.createNetworkFilter(dev, m)
 		if err != nil {
 			return "", err
 		}
@@ -8701,13 +8701,23 @@ func (c *containerLXC) getVolatileHostName(deviceName string) string {
 	return c.localConfig[hostNameKey]
 }
 
-func (c *containerLXC) createNetworkFilter(name string, bridge string, hwaddr string) error {
-	_, err := shared.RunCommand("ebtables", "-A", "FORWARD", "-s", "!", hwaddr, "-i", name, "-o", bridge, "-j", "DROP")
+// networkConfigHasFiltering returns true if the supplied network device config has any of the
+// the network level filtering flags enabled.
+// These are the security.mac_filtering, security.ipv4_Filtering and security.ipv6_filtering config keys.
+func (c *containerLXC) networkConfigHasFiltering(m types.Device) bool {
+	return shared.IsTrue(m["security.mac_filtering"]) || shared.IsTrue(m["security.ipv4_filtering"]) || shared.IsTrue(m["security.ipv6_filtering"])
+}
+
+// createNetworkFilter sets up any network level filters defined for the container.
+// These are controlled by the security.mac_filtering, security.ipv4_Filtering and security.ipv6_filtering config keys.
+func (c *containerLXC) createNetworkFilter(name string, m types.Device) error {
+	// Enable MAC filtering first, as this is used whether or not IP filtering is used.
+	_, err := shared.RunCommand("ebtables", "-A", "FORWARD", "-s", "!", m["hwaddr"], "-i", name, "-o", m["parent"], "-j", "DROP")
 	if err != nil {
 		return err
 	}
 
-	_, err = shared.RunCommand("ebtables", "-A", "INPUT", "-s", "!", hwaddr, "-i", name, "-j", "DROP")
+	_, err = shared.RunCommand("ebtables", "-A", "INPUT", "-s", "!", m["hwaddr"], "-i", name, "-j", "DROP")
 	if err != nil {
 		return err
 	}

More information about the lxc-devel mailing list