[lxc-devel] [lxd/master] doc/security: Adds note about non-IP ethernet frame filtering to stop VLAN QinQ bypass

tomponline on Github lxc-bot at linuxcontainers.org
Tue Aug 25 10:23:11 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 361 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200825/df6abe2d/attachment.bin>
-------------- next part --------------
From 8c882ada631fd7b95052ed4fac2676aa2b5fa1ad Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Tue, 25 Aug 2020 11:21:59 +0100
Subject: [PATCH] doc/security: Adds note about non-IP ethernet frame filtering
 to stop VLAN QinQ bypass

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 doc/security.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/doc/security.md b/doc/security.md
index 9e500ce19a..ad12291be4 100644
--- a/doc/security.md
+++ b/doc/security.md
@@ -252,8 +252,8 @@ Used together these features can prevent an instance connected to a bridge from
 These are implemented using either `xtables` (iptables, ip6tables and ebtables) or `nftables`, depending on what is
 available on the host.
 
-It's worth noting that those options effectively prevent nested containers, at least nested containers on the
-same network as their parent.
+It's worth noting that those options effectively prevent nested containers from using the parent network with a
+different MAC address (i.e using bridged or macvlan NICs).
 
 The IP filtering features block ARP and NDP advertisements that contain a spoofed IP, as well as blocking any
 packets that contain a spoofed source address.
@@ -264,6 +264,9 @@ that protocol is blocked from the instance.
 
 When `security.ipv6\_filtering` is enabled IPv6 router advertisements are blocked from the instance.
 
+When `security.ipv4\_filtering` or `security.ipv6\_filtering` is enabled, any Ethernet frames that are not ARP,
+IPv4 or IPv6 are dropped. This prevents stacked VLAN QinQ (802.1ad) frames from bypassing the IP filtering.
+
 ### Routed NIC security
 
 An alternative networking mode is available called `routed` that provides a veth pair between container and host.


More information about the lxc-devel mailing list