[Lxc-users] MAC address filtering on a bridge
Brice A.
brice+lxc at vleu.net
Fri May 27 11:04:48 UTC 2011
Hello,
I am trying to implement a protection against MAC address spoofing
from the containers without having to add an extra ebtable|iptable
rule per container. I could have used ipset, but macipmap is not
available in ipset 6, and bitmap_ipmac only supports a single /16 .
Using macvlan directly on my physical interface is not an option
because I want to do some extra iptable-based filtering on the
outgoing packets.
I thought I could achieve that using macvlan :
Currently the containers are networked using lxc.network.type=veth.
That is to say, a veth pair is created for each node and attached to a
common bridge (br0).
[vetha]--[veth0]__
[vethb]--[veth1]_ \
. . . \_\__[br0]_
[vethX]--[vethN]_/ /
[eth0]__/
My idea was to do this :
1/ create a veth pair : veth_slave and veth_master.
2/ attach veth_master on my bridge (br0)
3/ Setup br0 as a reflexive relay (echo 1 > /sys/../veth_master/../hairpin_mode)
4/ use macvlan to split up veth_slave between the containers
" lxc.network.type = macvlan
" lxc.network.macvlan.mode = vepa
" lxc.network.link = veth_slave
[macvlan0]__
[macvlan1]_ \
. . . \_\_[veth_slave]--[veth_master]--[br0]__
[macvlanN]_/ /
[eth0]__/
The intention being that macvlan prevents MAC spoofing.
But Linux seems not to relay my packets from br0 to macvlan0. When I
run a "ping -I veth_master $IP", I can see ARP who-as arriving on the
container and being replied to, but those replies seems to be ignored
by Linux and icmp packets are never sent.
If I run a "ping -I br0 $IP" the bridge no packets or frames appears
in the containers, however the bridge seems to know that their macs
are accessible from veth_master (according to brctl showmacs).
Routes are as follow : "$CONTAINER_IP/32 dev br0 scope link" .
Any tips about something I have forgotten ? Is there a simpler way ?
Thank you in advance for your help,
Brice
More information about the lxc-users
mailing list