[lxc-devel] [lxd/master] doc/security: Adds note about non-IP ethernet frame filtering to stop VLAN QinQ bypass
tomponline on Github
lxc-bot at linuxcontainers.org
Tue Aug 25 10:23:11 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Size: 361 bytes
Desc: not available
-------------- next part --------------
From 8c882ada631fd7b95052ed4fac2676aa2b5fa1ad Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Tue, 25 Aug 2020 11:21:59 +0100
Subject: [PATCH] doc/security: Adds note about non-IP ethernet frame filtering
to stop VLAN QinQ bypass
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
doc/security.md | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/doc/security.md b/doc/security.md
index 9e500ce19a..ad12291be4 100644
@@ -252,8 +252,8 @@ Used together these features can prevent an instance connected to a bridge from
These are implemented using either `xtables` (iptables, ip6tables and ebtables) or `nftables`, depending on what is
available on the host.
-It's worth noting that those options effectively prevent nested containers, at least nested containers on the
-same network as their parent.
+It's worth noting that those options effectively prevent nested containers from using the parent network with a
+different MAC address (i.e using bridged or macvlan NICs).
The IP filtering features block ARP and NDP advertisements that contain a spoofed IP, as well as blocking any
packets that contain a spoofed source address.
@@ -264,6 +264,9 @@ that protocol is blocked from the instance.
When `security.ipv6\_filtering` is enabled IPv6 router advertisements are blocked from the instance.
+When `security.ipv4\_filtering` or `security.ipv6\_filtering` is enabled, any Ethernet frames that are not ARP,
+IPv4 or IPv6 are dropped. This prevents stacked VLAN QinQ (802.1ad) frames from bypassing the IP filtering.
### Routed NIC security
An alternative networking mode is available called `routed` that provides a veth pair between container and host.
More information about the lxc-devel