[lxc-devel] [lxd/master] IP filtering (isolation mode)
tomponline on Github
lxc-bot at linuxcontainers.org
Wed Jun 19 16:30:13 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190619/93c8c17c/attachment.bin>
-------------- next part --------------
From c9724060a740dc51f66011e618df2c0853825657 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 19 Jun 2019 17:27:47 +0100
Subject: [PATCH 1/2] container: Adds security.ipv4_filtering and
security.ipv6_filtering nic device keys
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/container.go | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lxd/container.go b/lxd/container.go
index a526d2bee6..d0534e5457 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -154,6 +154,10 @@ func containerValidDeviceConfigKey(t, k string) bool {
return true
case "security.mac_filtering":
return true
+ case "security.ipv4_filtering":
+ return true
+ case "security.ipv6_filtering":
+ return true
case "maas.subnet.ipv4":
return true
case "maas.subnet.ipv6":
From a0f0b9a99c17c9b6f8f997ab3413ff4911404fa7 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 19 Jun 2019 17:28:43 +0100
Subject: [PATCH 2/2] container/lxc: Changes createNetworkFilter to accept
device config
Lays groundwork for IP filtering mode.
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/container_lxc.go | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 7e1fc70563..170df88702 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1718,7 +1718,7 @@ func (c *containerLXC) initLXC(config bool) error {
vethName := ""
if m["host_name"] != "" && m["nictype"] != "sriov" {
vethName = m["host_name"]
- } else if shared.IsTrue(m["security.mac_filtering"]) {
+ } else if c.networkConfigHasFiltering(m) {
// We need a known device name for MAC filtering
vethName = deviceNextVeth()
}
@@ -2530,7 +2530,7 @@ func (c *containerLXC) startCommon() (string, error) {
}
}
- if m["nictype"] == "bridged" && shared.IsTrue(m["security.mac_filtering"]) {
+ if m["nictype"] == "bridged" && c.networkConfigHasFiltering(m) {
// Read device name from config
vethName := ""
for i := 0; i < len(c.c.ConfigItem(networkKeyPrefix)); i++ {
@@ -2554,10 +2554,10 @@ func (c *containerLXC) startCommon() (string, error) {
}
if vethName == "" {
- return "", fmt.Errorf("Failed to find device name for mac_filtering")
+ return "", fmt.Errorf("Failed to find device name for network filtering")
}
- err = c.createNetworkFilter(vethName, m["parent"], m["hwaddr"])
+ err = c.createNetworkFilter(vethName, m)
if err != nil {
return "", err
}
@@ -8379,8 +8379,8 @@ func (c *containerLXC) createNetworkDevice(name string, m types.Device) (string,
}
// Set the filter
- if m["nictype"] == "bridged" && shared.IsTrue(m["security.mac_filtering"]) {
- err = c.createNetworkFilter(dev, m["parent"], m["hwaddr"])
+ if m["nictype"] == "bridged" && c.networkConfigHasFiltering(m) {
+ err = c.createNetworkFilter(dev, m)
if err != nil {
return "", err
}
@@ -8701,13 +8701,23 @@ func (c *containerLXC) getVolatileHostName(deviceName string) string {
return c.localConfig[hostNameKey]
}
-func (c *containerLXC) createNetworkFilter(name string, bridge string, hwaddr string) error {
- _, err := shared.RunCommand("ebtables", "-A", "FORWARD", "-s", "!", hwaddr, "-i", name, "-o", bridge, "-j", "DROP")
+// networkConfigHasFiltering returns true if the supplied network device config has any of the
+// the network level filtering flags enabled.
+// These are the security.mac_filtering, security.ipv4_Filtering and security.ipv6_filtering config keys.
+func (c *containerLXC) networkConfigHasFiltering(m types.Device) bool {
+ return shared.IsTrue(m["security.mac_filtering"]) || shared.IsTrue(m["security.ipv4_filtering"]) || shared.IsTrue(m["security.ipv6_filtering"])
+}
+
+// createNetworkFilter sets up any network level filters defined for the container.
+// These are controlled by the security.mac_filtering, security.ipv4_Filtering and security.ipv6_filtering config keys.
+func (c *containerLXC) createNetworkFilter(name string, m types.Device) error {
+ // Enable MAC filtering first, as this is used whether or not IP filtering is used.
+ _, err := shared.RunCommand("ebtables", "-A", "FORWARD", "-s", "!", m["hwaddr"], "-i", name, "-o", m["parent"], "-j", "DROP")
if err != nil {
return err
}
- _, err = shared.RunCommand("ebtables", "-A", "INPUT", "-s", "!", hwaddr, "-i", name, "-j", "DROP")
+ _, err = shared.RunCommand("ebtables", "-A", "INPUT", "-s", "!", m["hwaddr"], "-i", name, "-j", "DROP")
if err != nil {
return err
}
More information about the lxc-devel
mailing list