[lxc-devel] [lxd/master] NIC Bridged: Allow use of security.ipv6_filtering when no IPv6 allocation available

tomponline on Github lxc-bot at linuxcontainers.org
Fri Mar 27 10:04:39 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200327/c5b1bcdb/attachment.bin>
-------------- next part --------------
From c345988eca772a976ddd2d3a22807bfbd628609e Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Fri, 27 Mar 2020 10:00:41 +0000
Subject: [PATCH 1/3] lxd/firewall/drivers/drivers/consts: Adds FilterIPv6All
 constant

Indicator for allowing all IPv6 traffic to be blocked.

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/firewall/drivers/drivers_consts.go | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 lxd/firewall/drivers/drivers_consts.go

diff --git a/lxd/firewall/drivers/drivers_consts.go b/lxd/firewall/drivers/drivers_consts.go
new file mode 100644
index 0000000000..aecb2c0ca8
--- /dev/null
+++ b/lxd/firewall/drivers/drivers_consts.go
@@ -0,0 +1,4 @@
+package drivers
+
+// FilterIPv6All used to indicate to firewall package to filter all IPv6 traffic.
+const FilterIPv6All = "::"

From 5dbcb040e00566b7ac82c5ec76be8ab7c184e15e Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Fri, 27 Mar 2020 10:02:08 +0000
Subject: [PATCH 2/3] lxd/device/nic/bridged: Allow security.ipv6_filtering to
 be used on networks without IPv6

If no static or dynamic IPv6 addresses are available to the instance, with security.ipv6_filtering=true, all IPv6 traffic will be blocked.

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/device/nic_bridged.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index fde4ba269c..a72fd13053 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -21,6 +21,7 @@ import (
 	"github.com/lxc/lxd/lxd/db"
 	deviceConfig "github.com/lxc/lxd/lxd/device/config"
 	"github.com/lxc/lxd/lxd/dnsmasq"
+	firewallDrivers "github.com/lxc/lxd/lxd/firewall/drivers"
 	"github.com/lxc/lxd/lxd/instance"
 	"github.com/lxc/lxd/lxd/instance/instancetype"
 	"github.com/lxc/lxd/lxd/network"
@@ -475,6 +476,11 @@ func (d *nicBridged) removeFilters(m deviceConfig.Device) {
 		IPv6 = net.ParseIP(m["ipv6.address"])
 	}
 
+	// If no static IPv6 assigned, try removing the filter all rule in case it was setup.
+	if IPv6 == nil {
+		IPv6 = net.ParseIP(firewallDrivers.FilterIPv6All)
+	}
+
 	// Remove filters for static MAC and IPs (if specified above).
 	// This covers the case when filtering is used with an unmanaged bridge.
 	err := d.state.Firewall.InstanceClearBridgeFilter(d.inst.Project(), d.inst.Name(), d.name, m["parent"], m["host_name"], m["hwaddr"], IPv4, IPv6)
@@ -570,8 +576,9 @@ func (d *nicBridged) setFilters() (err error) {
 		IPv4 = nil
 	}
 
-	if !shared.IsTrue(d.config["security.ipv6_filtering"]) {
-		IPv6 = nil
+	// If no allocated IPv6 address for filtering and filtering enabled, then block all IPv6 traffic.
+	if shared.IsTrue(d.config["security.ipv6_filtering"]) && IPv6 == nil {
+		IPv6 = net.ParseIP(firewallDrivers.FilterIPv6All)
 	}
 
 	return d.state.Firewall.InstanceSetupBridgeFilter(d.inst.Project(), d.inst.Name(), d.name, d.config["parent"], d.config["host_name"], d.config["hwaddr"], IPv4, IPv6)
@@ -612,7 +619,7 @@ func (d *nicBridged) allocateFilterIPs(n *network.Network) (net.IP, net.IP, erro
 
 	// Check DHCPv6 is enabled on parent if dynamic IPv6 allocation is needed.
 	if shared.IsTrue(d.config["security.ipv6_filtering"]) && IPv6 == nil && !canIPv6Allocate {
-		return nil, nil, fmt.Errorf("Cannot use security.ipv6_filtering as DHCPv6 is disabled or no IPv6 on parent %s and no static IPv6 address set", d.config["parent"])
+		logger.Warnf("IPv6 filtering enabled on %q device %q without a static IPv6 specified or dynamic allocation enabled, all IPv6 traffic will be blocked", d.inst.Name(), d.name)
 	}
 
 	dnsmasq.ConfigMutex.Lock()

From 7d8ad23340154069e7a78dc7e27ba3baae609e2b Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Fri, 27 Mar 2020 10:03:07 +0000
Subject: [PATCH 3/3] lxd/firewall/drivers/drivers/xtables: Adds FilterIPv6All
 support

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/firewall/drivers/drivers_xtables.go | 26 +++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go
index dd7ff16635..7cdad1259c 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -450,14 +450,24 @@ func (d Xtables) generateFilterEbtablesRules(hostName, hwAddr string, IPv4, IPv6
 	}
 
 	if IPv6 != nil {
-		rules = append(rules,
-			// Allow DHCPv6 and Router Solicitation to the host only. This must come before the IP source filtering rules below.
-			[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"},
-			[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
-			// IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address.
-			[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
-			[]string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
-		)
+		if IPv6.String() == FilterIPv6All {
+			rules = append(rules,
+				[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
+				[]string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
+			)
+		} else {
+			rules = append(rules,
+				// Allow DHCPv6 and Router Solicitation to the host only. This must come before the IP source filtering rules below.
+				[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"},
+				[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
+				// IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address.
+				[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
+				[]string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
+				// Block any IPv6 router advertisement packets from instance.
+				[]string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
+				[]string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
+			)
+		}
 	}
 
 	return rules

More information about the lxc-devel mailing list