Brooks Swinnerton
2020-Jan-01 17:39 UTC
[libvirt-users] Passing multiple addresses with masks to nwfilter
Hello,
I have a nwfilter that I'm using to ensure that libvirt domains can't
spoof
IPv6 traffic. It looks like this:
<filter name='no-ipv6-spoofing' chain='ipv6-ip'
priority='-710'>
<rule action='return' direction='out'
priority='500'>
<ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
</rule>
<rule action='drop' direction='out'
priority='1000'/>
</filter>
The goal is to allow any traffic coming from the entire prefix (e.g.
2001:db8::/32). This theoretically would work fine when passing in the
variables from the domain definition like so:
<filterref filter='no-ipv6-spoofing'>
<parameter name='IPV6'
value='2001:db8:1:6:dc:d2ff:fef2:2181'/>
<parameter name='IPV6_MASK' value='32'/>
</filterref>
But the problem comes when wanting to allow multiple prefixes (and thus
multiple $IPV6 and $IPV6_MASK variables). If there is more than one
definition of $IPV6, how could I associate it with a corresponding
$IPV6_MASK?
Ideally I would be able to pass an address in CIDR notation directly to
srcipaddr, but I don't believe that's an option.
Any guidance would be appreciated. The ultimate goal is to automate this
process, so having something like $IPV6_1 and $IPV6_1 would be less than
ideal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20200101/8bdb0c85/attachment.htm>
Brooks Swinnerton
2020-Jan-01 20:46 UTC
[libvirt-users] Passing multiple addresses with masks to nwfilter
Looking at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering#sect-Applying_network_filtering-Usage_of_variables_in_filters,
it sounds like the preferred approach is to use something like:
<filter name='no-ipv6-spoofing' chain='ipv6-ip'
priority='-710'>
<rule action='return' direction='out'
priority='500'>
<ipv6 srcipaddr='$IPV6[@1]'
srcipmask='$IPV6_MASK[@1]'/>
</rule>
<rule action='drop' direction='out'
priority='1000'/>
</filter>
The documentation reads:
Assign concrete values to SRCIPADDRESSES and DSTPORTS as shown:
SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
DSTPORTS = [ 80, 8080 ]
But I'm not sure how to pass through an array of <parameter>s in the
filterref. Is this possible?
On Wed, Jan 1, 2020 at 12:39 PM Brooks Swinnerton <bswinnerton at
gmail.com>
wrote:
> Hello,
>
> I have a nwfilter that I'm using to ensure that libvirt domains
can't
> spoof IPv6 traffic. It looks like this:
>
> <filter name='no-ipv6-spoofing' chain='ipv6-ip'
priority='-710'>
> <rule action='return' direction='out'
priority='500'>
> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
> </rule>
> <rule action='drop' direction='out'
priority='1000'/>
> </filter>
>
> The goal is to allow any traffic coming from the entire prefix (e.g.
> 2001:db8::/32). This theoretically would work fine when passing in the
> variables from the domain definition like so:
>
> <filterref filter='no-ipv6-spoofing'>
> <parameter name='IPV6'
value='2001:db8:1:6:dc:d2ff:fef2:2181'/>
> <parameter name='IPV6_MASK' value='32'/>
> </filterref>
>
> But the problem comes when wanting to allow multiple prefixes (and thus
> multiple $IPV6 and $IPV6_MASK variables). If there is more than one
> definition of $IPV6, how could I associate it with a corresponding
> $IPV6_MASK?
>
> Ideally I would be able to pass an address in CIDR notation directly to
> srcipaddr, but I don't believe that's an option.
>
> Any guidance would be appreciated. The ultimate goal is to automate this
> process, so having something like $IPV6_1 and $IPV6_1 would be less than
> ideal.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20200101/dfe9b815/attachment.htm>
Brooks Swinnerton
2020-Jan-01 23:48 UTC
Re: [libvirt-users] Passing multiple addresses with masks to nwfilter
I was able to resolve this by duplicating the <parameter> entries: <filterref filter='no-ipv6-spoofing'> <parameter name='IPV6' value='2001:db8:1:6:dc:d2ff:fef2:2181'/> <parameter name='IPV6' value='fe80::dc:d2ff:fef2:2181'/> <parameter name='IPV6_MASK' value='32'/> <parameter name='IPV6_MASK' value='128'/> </filterref> On Wed, Jan 1, 2020 at 3:46 PM Brooks Swinnerton <bswinnerton@gmail.com> wrote:> Looking at > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering#sect-Applying_network_filtering-Usage_of_variables_in_filters, > it sounds like the preferred approach is to use something like: > > <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> > <rule action='return' direction='out' priority='500'> > <ipv6 srcipaddr='$IPV6[@1]' srcipmask='$IPV6_MASK[@1]'/> > </rule> > <rule action='drop' direction='out' priority='1000'/> > </filter> > > The documentation reads: > > Assign concrete values to SRCIPADDRESSES and DSTPORTS as shown: > > SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ] > DSTPORTS = [ 80, 8080 ] > > > But I'm not sure how to pass through an array of <parameter>s in the > filterref. Is this possible? > > > > On Wed, Jan 1, 2020 at 12:39 PM Brooks Swinnerton <bswinnerton@gmail.com> > wrote: > >> Hello, >> >> I have a nwfilter that I'm using to ensure that libvirt domains can't >> spoof IPv6 traffic. It looks like this: >> >> <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> >> <rule action='return' direction='out' priority='500'> >> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/> >> </rule> >> <rule action='drop' direction='out' priority='1000'/> >> </filter> >> >> The goal is to allow any traffic coming from the entire prefix (e.g. >> 2001:db8::/32). This theoretically would work fine when passing in the >> variables from the domain definition like so: >> >> <filterref filter='no-ipv6-spoofing'> >> <parameter name='IPV6' value='2001:db8:1:6:dc:d2ff:fef2:2181'/> >> <parameter name='IPV6_MASK' value='32'/> >> </filterref> >> >> But the problem comes when wanting to allow multiple prefixes (and thus >> multiple $IPV6 and $IPV6_MASK variables). If there is more than one >> definition of $IPV6, how could I associate it with a corresponding >> $IPV6_MASK? >> >> Ideally I would be able to pass an address in CIDR notation directly to >> srcipaddr, but I don't believe that's an option. >> >> Any guidance would be appreciated. The ultimate goal is to automate this >> process, so having something like $IPV6_1 and $IPV6_1 would be less than >> ideal. >> >