[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-API] XCP antispoofing patch [v2]



Good day, everyone.

This patch control usage of ipv4 addresses of virtual machines. It must
be applied to all hosts of pool and require /usr/bin/get_ip script. This
behaviour differ from last time I post earlier version of patch.

Script shall accept uuid of VIF and return or IP address, or nothing. It
shall never freeze or output any kind of error messages.

Here simple of output:

$ get_ip 48b541ae-1403-ddbb-4122-868c816cbec5
10.1.1.2
$ get_ip 9ade74b4-87b0-97b5-e02c-5d8d870438bd
$ get_ip somerandominput

Changelog:

* Now  works fine with trunk vlans (thanks to Ben Pfaff)
* Now clearly eliminating every unauthorised traffic, including the
wrong ARP announces (thanks to Alexandre Bezroutchko for correct ARP
line)
* Fixed rules non-removal on multi-homed VM (two  VIFs per one VM caused
not removing second set of rules)

Notes:

We disallow 'collision detection' ARP requests and DHCP requests. If you
need them - you need to create separate rules. Also, this patch 
DOES NOT SUPPORT ipv6.

Instructions:

1) This patch is against XCP 1.0; when XCP 1.1 will be released, I post
adopted version.
2) Put on every host in the pool get_ip script to /usr/bin, see notes
above. You need to create this script by yourself. Simplest (from config
file) will looks like:
#!/bin/sh
grep $1 /etc/xensource/ip.conf|awk '{print $2}'
Our script is using external database to get IP.
3) check if this script works fine without normal path environment.
Note, if get_ip will freeze/make error, VM's will not start, even those,
who have no IP restriction.
4) Log to host via ssh, download/copy script locally.
5) Make backup copy
5) Apply patch: patch -b -p0 <antispoofing.v2.patch
6) Repeat step 6 on every host in the pool.
7) Restart/migrate every machine needed to be protected.

Reverting:
1) Urgent rules cleaning can be done:
a) ovs-ofctl del-flows "in_port=2" (=3, =4 and so on).
b) by replacing /usr/bin/get_ip by symlink to /bin/true and
remigrating/rebooting every affected VM
2) Permanent removing can be done by moving
back /etc/xensource/script/vif.orig to /etc/xensource.script/vif 

Rules can be seen by typing ovs-ofctl dump-flows xenbr0 (xenbr1 and so
on, depends on your network configuration, for pure virtual networks
interface is xapi0, xapi1,...).

PS Glad to hear some comments.

Attachment: antispoofing.v2.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.