[lxc-devel] [lxd/master] lxd/firewall: Create Firewall interface and implement XTables
keyallis on Github
lxc-bot at linuxcontainers.org
Wed Nov 13 20:16:03 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 397 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191113/ae12d738/attachment-0001.bin>
-------------- next part --------------
From 337347843d414058b370f6977b5e97711846ea8f Mon Sep 17 00:00:00 2001
From: Louise Montalvo <louanmontalvo at gmail.com>
Date: Wed, 13 Nov 2019 14:11:54 -0600
Subject: [PATCH] lxd/firewall: Create Firewall interface and implement XTables
Signed-off-by: Louise Montalvo <louanmontalvo at gmail.com>
---
lxd/firewall/interfaces.go | 32 ++++
lxd/firewall/xtables.go | 344 +++++++++++++++++++++++++++++++++++++
2 files changed, 376 insertions(+)
create mode 100644 lxd/firewall/interfaces.go
create mode 100644 lxd/firewall/xtables.go
diff --git a/lxd/firewall/interfaces.go b/lxd/firewall/interfaces.go
new file mode 100644
index 0000000000..00d3bdde15
--- /dev/null
+++ b/lxd/firewall/interfaces.go
@@ -0,0 +1,32 @@
+package firewall
+
+import (
+ "net"
+
+ "github.com/lxc/lxd/lxd/device"
+ deviceConfig "github.com/lxc/lxd/lxd/device/config"
+)
+
+
+// Firewall represents an LXD firewall.
+type Firewall interface {
+ // Lower-level Functions
+ NetworkClear(name string, protocol string, table string) error
+ InstanceClear(inst device.Instance, protocol string, table string) error
+ VerifyIPv6Module() error
+
+ // Proxy Functions
+ InstanceProxySetupNAT(protocol string, ipAddr net.IP, comment string, connType, address, port string, cPort string) error
+
+ // NIC Bridged Functions
+ InstanceNicBridgedRemoveFilters(m deviceConfig.Device, ipv4 net.IP, ipv6 net.IP) error
+ InstanceNicBridgedSetFilters(m deviceConfig.Device, ipv4 net.IP, ipv6 net.IP, name string) error
+
+ // Network Functions
+ NetworkSetupAllowForwarding(protocol string, name string, should_accept bool) error
+ NetworkSetupNAT(protocol string, name string, is_after bool, args ...string) error
+ NetworkSetupIPv4DNSOverrides(name string) error
+ NetworkSetupIPv4DHCPWorkaround(name string) error
+ NetworkSetupIPv6DNSOverrides(name string) error
+ NetworkSetupTunnelNAT(name string, is_after bool, overlaySubnet net.IPNet) error
+}
diff --git a/lxd/firewall/xtables.go b/lxd/firewall/xtables.go
new file mode 100644
index 0000000000..d440a495d1
--- /dev/null
+++ b/lxd/firewall/xtables.go
@@ -0,0 +1,344 @@
+package firewall
+
+import (
+ "fmt"
+ "net"
+ "strings"
+ "encoding/hex"
+
+ "github.com/lxc/lxd/lxd/iptables"
+ "github.com/lxc/lxd/lxd/device"
+ deviceConfig "github.com/lxc/lxd/lxd/device/config"
+ "github.com/lxc/lxd/shared"
+)
+
+
+// XTables is an implmentation of LXD firewall using {ip, ip6, eb}tables
+type XTables struct {}
+
+
+// Lower-level Functions
+
+// NetworkClear removes network rules.
+func (xt *XTables) NetworkClear(name string, protocol string, table string) error {
+ return iptables.NetworkClear(protocol, name, table)
+}
+
+// Removes rules all rules for the given instance.
+func (xt *XTables) InstanceClear(inst device.Instance, protocol string, table string) error {
+ return iptables.ContainerClear(protocol, fmt.Sprintf("%s (%s)", inst.Name(), inst.Project()), table)
+}
+
+// VerifyIPv6Module checks to see if the ipv6 kernel module is present.
+func (xt *XTables) VerifyIPv6Module() error {
+ // Check br_netfilter is loaded and enabled for IPv6.
+ sysctlPath := "bridge/bridge-nf-call-ip6tables"
+ sysctlVal, err := device.NetworkSysctlGet(sysctlPath)
+ if err != nil {
+ return fmt.Errorf("Error reading net sysctl %s: %v", sysctlPath, err)
+ }
+
+ if sysctlVal != "1\n" {
+ return fmt.Errorf("security.ipv6_filtering requires br_netfilter and sysctl net.bridge.bridge-nf-call-ip6tables=1")
+ }
+
+ return nil
+}
+
+
+// Proxy Functions
+
+// ProxySetupNAT creates a default NAT setup.
+func (xt *XTables) InstanceProxySetupNAT(protocol string, ipAddr net.IP, comment string, connType, address, port string, cPort string) error {
+ toDest := fmt.Sprintf("%s:%s", ipAddr, cPort)
+ if protocol == "ipv6" {
+ toDest = fmt.Sprintf("[%s]:%s", ipAddr, cPort)
+ }
+
+ // outbound <-> container
+ err := iptables.ContainerPrepend(protocol, comment, "nat", "PREROUTING", "-p", connType, "--destination", address, "--dport", port, "-j", "DNAT", "--to-destination", toDest)
+ if err != nil {
+ return err
+ }
+
+ // host <-> container
+ err = iptables.ContainerPrepend(protocol, comment, "nat", "OUTPUT", "-p", connType, "--destination", address, "--dport", port, "-j", "DNAT", "--to-destination", toDest)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+
+// NIC Bridged Functions
+
+// Removes any non-standard rules from the nic instance.
+func (xt *XTables) InstanceNicBridgedRemoveFilters(m deviceConfig.Device, ipv4 net.IP, ipv6 net.IP) error {
+ // Get a current list of rules active on the host.
+ out, err := shared.RunCommand("ebtables", "--concurrent", "-L", "--Lmac2", "--Lx")
+ if err != nil {
+ return fmt.Errorf("Failed to remove network filters for %s: %v", m["name"], err)
+ }
+
+ // Get a list of rules that we would have applied on instance start.
+ rules := generateFilterEbtablesRules(m, ipv4, ipv6)
+
+ errs := []error{}
+ // Iterate through each active rule on the host and try and match it to one the LXD rules.
+ for _, line := range strings.Split(out, "\n") {
+ line = strings.TrimSpace(line)
+ fields := strings.Fields(line)
+ fieldsLen := len(fields)
+
+ for _, rule := range rules {
+ // Rule doesn't match if the field lenths aren't the same, move on.
+ if len(rule) != fieldsLen {
+ continue
+ }
+
+ // Check whether active rule matches one of our rules to delete.
+ if !matchEbtablesRule(fields, rule, true) {
+ continue
+ }
+
+ // If we get this far, then the current host rule matches one of our LXD
+ // rules, so we should run the modified command to delete it.
+ _, err = shared.RunCommand(fields[0], append([]string{"--concurrent"}, fields[1:]...)...)
+ if err != nil {
+ errs = append(errs, err)
+ }
+ }
+ }
+
+ if len(errs) > 0 {
+ return fmt.Errorf("Failed to remove network filters rule for %s: %v", m["name"], errs)
+ }
+
+ return nil
+}
+
+// Sets the nic rules to standard filtering.
+func (xt *XTables) InstanceNicBridgedSetFilters(m deviceConfig.Device, ipv4 net.IP, ipv6 net.IP, name string) error {
+ rules := generateFilterEbtablesRules(m, ipv4, ipv6)
+ for _, rule := range rules {
+ _, err := shared.RunCommand(rule[0], append([]string{"--concurrent"}, rule[1:]...)...)
+ if err != nil {
+ return err
+ }
+ }
+
+ rules, err := generateFilterIptablesRules(m, ipv6)
+ if err != nil {
+ return err
+ }
+
+ for _, rule := range rules {
+ err = iptables.ContainerPrepend(rule[0], fmt.Sprintf("%s - %s_filtering", name, rule[0]), "filter", rule[1], rule[2:]...)
+ if err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+
+// Network Functions
+
+// Allow forwarding
+func (xt *XTables) NetworkSetupAllowForwarding(protocol string, name string, should_accept bool) error {
+ forward_type := "REJECT"
+ if should_accept {
+ forward_type = "ACCEPT"
+ }
+
+ err := iptables.NetworkPrepend(protocol, name, "", "FORWARD", "-i", name, "-j", forward_type)
+ if err != nil {
+ return err
+ }
+
+ err = iptables.NetworkPrepend(protocol, name, "", "FORWARD", "-o", name, "-j", forward_type)
+ if err != nil {
+ return err
+ }
+
+ return err
+}
+
+// Configure NAT
+func (xt *XTables) NetworkSetupNAT(protocol string, name string, is_after bool, args ...string) error {
+ if is_after {
+ err := iptables.NetworkAppend(protocol, name, "nat", "POSTROUTING", args...)
+ if err != nil {
+ return err
+ }
+ } else {
+ err := iptables.NetworkPrepend(protocol, name, "nat", "POSTROUTING", args...)
+ if err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+// Setup basic iptables overrides for DHCP/DNS
+func (xt *XTables) NetworkSetupIPv4DNSOverrides(name string) error {
+ rules := [][]string{
+ {"ipv4", name, "", "INPUT", "-i", name, "-p", "udp", "--dport", "67", "-j", "ACCEPT"},
+ {"ipv4", name, "", "INPUT", "-i", name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
+ {"ipv4", name, "", "INPUT", "-i", name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
+ {"ipv4", name, "", "OUTPUT", "-o", name, "-p", "udp", "--sport", "67", "-j", "ACCEPT"},
+ {"ipv4", name, "", "OUTPUT", "-o", name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
+ {"ipv4", name, "", "OUTPUT", "-o", name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
+
+ for _, rule := range rules {
+ err := iptables.NetworkPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+ if err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+// Attempt a workaround for broken DHCP clients
+func (xt *XTables) NetworkSetupIPv4DHCPWorkaround(name string) error {
+ return iptables.NetworkPrepend("ipv4", name, "mangle", "POSTROUTING", "-o", name, "-p", "udp", "--dport", "68", "-j", "CHECKSUM", "--checksum-fill")
+}
+
+// Setup basic iptables overrides for DHCP/DNS
+func (xt *XTables) NetworkSetupIPv6DNSOverrides(name string) error {
+ rules := [][]string{
+ {"ipv6", name, "", "INPUT", "-i", name, "-p", "udp", "--dport", "547", "-j", "ACCEPT"},
+ {"ipv6", name, "", "INPUT", "-i", name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
+ {"ipv6", name, "", "INPUT", "-i", name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
+ {"ipv6", name, "", "OUTPUT", "-o", name, "-p", "udp", "--sport", "547", "-j", "ACCEPT"},
+ {"ipv6", name, "", "OUTPUT", "-o", name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
+ {"ipv6", name, "", "OUTPUT", "-o", name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
+
+ for _, rule := range rules {
+ err := iptables.NetworkPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+ if err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+// Configure Tunnel NAT
+func (xt *XTables) NetworkSetupTunnelNAT(name string, is_after bool, overlaySubnet net.IPNet) error {
+ if is_after {
+ err := iptables.NetworkAppend("ipv4", name, "nat", "POSTROUTING", "-s", overlaySubnet.String(), "!", "-d", overlaySubnet.String(), "-j", "MASQUERADE")
+ if err != nil {
+ return err
+ }
+ } else {
+ err := iptables.NetworkPrepend("ipv4", name, "nat", "POSTROUTING", "-s", overlaySubnet.String(), "!", "-d", overlaySubnet.String(), "-j", "MASQUERADE")
+ if err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+
+// Helper Functions
+
+// generateFilterEbtablesRules returns a customised set of ebtables filter rules based on the device.
+func generateFilterEbtablesRules(m deviceConfig.Device, ipv4 net.IP, ipv6 net.IP) [][]string {
+ // MAC source filtering rules. Blocks any packet coming from instance with an incorrect Ethernet source MAC.
+ // This is required for IP filtering too.
+ rules := [][]string{
+ {"ebtables", "-t", "filter", "-A", "INPUT", "-s", "!", m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
+ {"ebtables", "-t", "filter", "-A", "FORWARD", "-s", "!", m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
+ }
+
+ if shared.IsTrue(m["security.ipv4_filtering"]) && ipv4 != nil {
+ rules = append(rules,
+ // Prevent ARP MAC spoofing (prevents the instance poisoning the ARP cache of its neighbours with a MAC address that isn't its own).
+ []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j", "DROP"},
+ []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j", "DROP"},
+ // Prevent ARP IP spoofing (prevents the instance redirecting traffic for IPs that are not its own).
+ []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", ipv4.String(), "-j", "DROP"},
+ []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", ipv4.String(), "-j", "DROP"},
+ // Allow DHCPv4 to the host only. This must come before the IP source filtering rules below.
+ []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-s", m["hwaddr"], "-i", m["host_name"], "--ip-src", "0.0.0.0", "--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j", "ACCEPT"},
+ // IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address.
+ []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", ipv4.String(), "-j", "DROP"},
+ []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", ipv4.String(), "-j", "DROP"},
+ )
+ }
+
+ if shared.IsTrue(m["security.ipv6_filtering"]) && ipv6 != nil {
+ rules = append(rules,
+ // Allow DHCPv6 and Router Solicitation to the host only. This must come before the IP source filtering rules below.
+ []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"},
+ []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
+ // IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address.
+ []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ipv6.String()), "-j", "DROP"},
+ []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ipv6.String()), "-j", "DROP"},
+ )
+ }
+
+ return rules
+}
+
+// generateFilterIptablesRules returns a customised set of iptables filter rules based on the device.
+func generateFilterIptablesRules(m deviceConfig.Device, ipv6 net.IP) (rules [][]string, err error) {
+ mac, err := net.ParseMAC(m["hwaddr"])
+ if err != nil {
+ return
+ }
+
+ macHex := hex.EncodeToString(mac)
+
+ // These rules below are implemented using ip6tables because the functionality to inspect
+ // the contents of an ICMPv6 packet does not exist in ebtables (unlike for IPv4 ARP).
+ // Additionally, ip6tables doesn't really provide a nice way to do what we need here, so we
+ // have resorted to doing a raw hex comparison of the packet contents at fixed positions.
+ // If these rules are not added then it is possible to hijack traffic for another IP that is
+ // not assigned to the instance by sending a specially crafted gratuitous NDP packet with
+ // correct source address and MAC at the IP & ethernet layers, but a fraudulent IP or MAC
+ // inside the ICMPv6 NDP packet.
+ if shared.IsTrue(m["security.ipv6_filtering"]) && ipv6 != nil {
+ ipv6Hex := hex.EncodeToString(ipv6)
+
+ rules = append(rules,
+ // Prevent Neighbor Advertisement IP spoofing (prevents the instance redirecting traffic for IPs that are not its own).
+ []string{"ipv6", "INPUT", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", ipv6Hex), "--algo", "bm", "--from", "48", "--to", "64", "-j", "DROP"},
+ []string{"ipv6", "FORWARD", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", ipv6Hex), "--algo", "bm", "--from", "48", "--to", "64", "-j", "DROP"},
+ // Prevent Neighbor Advertisement MAC spoofing (prevents the instance poisoning the NDP cache of its neighbours with a MAC address that isn't its own).
+ []string{"ipv6", "INPUT", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", macHex), "--algo", "bm", "--from", "66", "--to", "72", "-j", "DROP"},
+ []string{"ipv6", "FORWARD", "-i", m["parent"], "-p", "ipv6-icmp", "-m", "physdev", "--physdev-in", m["host_name"], "-m", "icmp6", "--icmpv6-type", "136", "-m", "string", "!", "--hex-string", fmt.Sprintf("|%s|", macHex), "--algo", "bm", "--from", "66", "--to", "72", "-j", "DROP"},
+ )
+ }
+
+ return
+}
+
+// matchEbtablesRule compares an active rule to a supplied match rule to see if they match.
+// If deleteMode is true then the "-A" flag in the active rule will be modified to "-D" and will
+// not be part of the equality match. This allows delete commands to be generated from dumped add commands.
+func matchEbtablesRule(activeRule []string, matchRule []string, deleteMode bool) bool {
+ for i := range matchRule {
+ // Active rules will be dumped in "add" format, we need to detect
+ // this and switch it to "delete" mode if requested. If this has already been
+ // done then move on, as we don't want to break the comparison below.
+ if deleteMode && (activeRule[i] == "-A" || activeRule[i] == "-D") {
+ activeRule[i] = "-D"
+ continue
+ }
+
+ // Check the match rule field matches the active rule field.
+ // If they don't match, then this isn't one of our rules.
+ if activeRule[i] != matchRule[i] {
+ return false
+ }
+ }
+
+ return true
+}
More information about the lxc-devel
mailing list