diff options
| author | Stefan Berger <stefanb@us.ibm.com> | 2010-03-25 13:46:13 -0400 |
|---|---|---|
| committer | Daniel P. Berrange <berrange@redhat.com> | 2010-03-26 18:01:17 +0000 |
| commit | e3a7137ac29dbb06a5ccbaf7b51c96ab9de745a6 (patch) | |
| tree | 6f056827b4f3d9bede6161cd800865d155286aab /examples/xml | |
| parent | 1130085cf075c044e4ad6cd811aa066549edcc2e (diff) | |
| download | libvirt-e3a7137ac29dbb06a5ccbaf7b51c96ab9de745a6.tar.gz | |
Add some examples filters
This patch adds some example filters to libvirt. They are automatically
installed into the proper directory for libvirt to pick them up.
Diffstat (limited to 'examples/xml')
| -rw-r--r-- | examples/xml/nwfilter/Makefile.am | 30 | ||||
| -rw-r--r-- | examples/xml/nwfilter/allow-arp.xml | 3 | ||||
| -rw-r--r-- | examples/xml/nwfilter/allow-dhcp-server.xml | 24 | ||||
| -rw-r--r-- | examples/xml/nwfilter/allow-dhcp.xml | 21 | ||||
| -rw-r--r-- | examples/xml/nwfilter/allow-incoming-ipv4.xml | 3 | ||||
| -rw-r--r-- | examples/xml/nwfilter/allow-ipv4.xml | 3 | ||||
| -rw-r--r-- | examples/xml/nwfilter/clean-traffic.xml | 17 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-arp-spoofing.xml | 29 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-ip-multicast.xml | 9 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-ip-spoofing.xml | 7 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-mac-broadcast.xml | 8 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-mac-spoofing.xml | 5 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-other-l2-traffic.xml | 7 |
13 files changed, 166 insertions, 0 deletions
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am new file mode 100644 index 0000000000..dcf6ce42dd --- /dev/null +++ b/examples/xml/nwfilter/Makefile.am @@ -0,0 +1,30 @@ + +FILTERS = \ + allow-arp.xml \ + allow-dhcp-server.xml \ + allow-dhcp.xml \ + allow-incoming-ipv4.xml \ + allow-ipv4.xml \ + clean-traffic.xml \ + no-arp-spoofing.xml \ + no-ip-multicast.xml \ + no-ip-spoofing.xml \ + no-mac-broadcast.xml \ + no-mac-spoofing.xml \ + no-other-l2-traffic.xml + +confdir = $(sysconfdir)/libvirt + +NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter" + +install-data-local: + $(MKDIR_P) "$(NWFILTER_DIR)" + for f in $(FILTERS); do \ + $(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \ + done + +uninstall-local:: + for f in $(FILTERS); do \ + rm -f "$(NWFILTER_DIR)/$$f"; \ + done + -test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR) diff --git a/examples/xml/nwfilter/allow-arp.xml b/examples/xml/nwfilter/allow-arp.xml new file mode 100644 index 0000000000..63a92b25b4 --- /dev/null +++ b/examples/xml/nwfilter/allow-arp.xml @@ -0,0 +1,3 @@ +<filter name='allow-arp' chain='arp'> + <rule direction='inout' action='accept'/> +</filter> diff --git a/examples/xml/nwfilter/allow-dhcp-server.xml b/examples/xml/nwfilter/allow-dhcp-server.xml new file mode 100644 index 0000000000..37e708ed4b --- /dev/null +++ b/examples/xml/nwfilter/allow-dhcp-server.xml @@ -0,0 +1,24 @@ +<filter name='allow-dhcp-server' chain='ipv4'> + + <!-- accept outgoing DHCP requests --> + <!-- note, this rule must be evaluated before general MAC broadcast + traffic is discarded since DHCP requests use MAC broadcast --> + <rule action='accept' direction='out' priority='100'> + <ip srcipaddr='0.0.0.0' + dstipaddr='255.255.255.255' + protocol='udp' + srcportstart='68' + dstportstart='67' /> + </rule> + + <!-- accept incoming DHCP responses from a specific DHCP server + parameter DHPCSERVER needs to be passed from where this filter is + referenced --> + <rule action='accept' direction='in' priority='100' > + <ip srcipaddr='$DHCPSERVER' + protocol='udp' + srcportstart='67' + dstportstart='68'/> + </rule> + +</filter> diff --git a/examples/xml/nwfilter/allow-dhcp.xml b/examples/xml/nwfilter/allow-dhcp.xml new file mode 100644 index 0000000000..d66d2b6668 --- /dev/null +++ b/examples/xml/nwfilter/allow-dhcp.xml @@ -0,0 +1,21 @@ +<filter name='allow-dhcp' chain='ipv4'> + + <!-- accept outgoing DHCP requests --> + <!-- not, this rule must be evaluated before general MAC broadcast + traffic is discarded since DHCP requests use MAC broadcast --> + <rule action='accept' direction='out' priority='100'> + <ip srcipaddr='0.0.0.0' + dstipaddr='255.255.255.255' + protocol='udp' + srcportstart='68' + dstportstart='67' /> + </rule> + + <!-- accept incoming DHCP responses from any DHCP server --> + <rule action='accept' direction='in' priority='100' > + <ip protocol='udp' + srcportstart='67' + dstportstart='68'/> + </rule> + +</filter> diff --git a/examples/xml/nwfilter/allow-incoming-ipv4.xml b/examples/xml/nwfilter/allow-incoming-ipv4.xml new file mode 100644 index 0000000000..dd1e50d02e --- /dev/null +++ b/examples/xml/nwfilter/allow-incoming-ipv4.xml @@ -0,0 +1,3 @@ +<filter name='allow-incoming-ipv4' chain='ipv4'> + <rule direction='in' action='accept'/> +</filter> diff --git a/examples/xml/nwfilter/allow-ipv4.xml b/examples/xml/nwfilter/allow-ipv4.xml new file mode 100644 index 0000000000..28e930a7c8 --- /dev/null +++ b/examples/xml/nwfilter/allow-ipv4.xml @@ -0,0 +1,3 @@ +<filter name='allow-ipv4' chain='ipv4'> + <rule direction='inout' action='accept'/> +</filter> diff --git a/examples/xml/nwfilter/clean-traffic.xml b/examples/xml/nwfilter/clean-traffic.xml new file mode 100644 index 0000000000..2cc7df983e --- /dev/null +++ b/examples/xml/nwfilter/clean-traffic.xml @@ -0,0 +1,17 @@ +<filter name='clean-traffic'> + <!-- An example of a traffic filter enforcing clean traffic + from a VM by + - preventing MAC spoofing --> + <filterref filter='no-mac-spoofing'/> + + <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming --> + <filterref filter='no-ip-spoofing'/> + <filterref filter='allow-incoming-ipv4'/> + + <!-- preventing ARP spoofing/poisoning --> + <filterref filter='no-arp-spoofing'/> + + <!-- preventing any other traffic than IPv4 and ARP --> + <filterref filter='no-other-l2-traffic'/> + +</filter> diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml new file mode 100644 index 0000000000..b49e781be4 --- /dev/null +++ b/examples/xml/nwfilter/no-arp-spoofing.xml @@ -0,0 +1,29 @@ +<filter name='no-arp-spoofing' chain='arp'> + <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> + + <!-- no arp spoofing --> + <!-- drop if ipaddr or macaddr does not belong to guest --> + <rule action='drop' direction='out' priority='400' > + <arp match='no' arpsrcmacaddr='$MAC'/> + </rule> + <rule action='drop' direction='out' priority='400' > + <arp match='no' arpsrcipaddr='$IP' /> + </rule> + <!-- drop if ipaddr or macaddr odes not belong to guest --> + <rule action='drop' direction='in' priority='400' > + <arp match='no' arpdstmacaddr='$MAC'/> + <arp opcode='reply'/> + </rule> + <rule action='drop' direction='in' priority='400' > + <arp match='no' arpdstipaddr='$IP' /> + </rule> + <!-- accept only request or reply packets --> + <rule action='accept' direction='inout' priority='500' > + <arp opcode='request'/> + </rule> + <rule action='accept' direction='inout' priority='500' > + <arp opcode='reply'/> + </rule> + <!-- drop everything else --> + <rule action='drop' direction='inout' priority='1000' /> +</filter> diff --git a/examples/xml/nwfilter/no-ip-multicast.xml b/examples/xml/nwfilter/no-ip-multicast.xml new file mode 100644 index 0000000000..edcf03f657 --- /dev/null +++ b/examples/xml/nwfilter/no-ip-multicast.xml @@ -0,0 +1,9 @@ +<filter name='no-ip-multicast' chain='ipv4'> + + <!-- drop if destination IP address is in the 224.0.0.0/4 subnet --> + <rule action='drop' direction='out'> + <ip dstipaddr='224.0.0.0' dstipmask='4' /> + </rule> + + <!-- not doing anything with receiving side ... --> +</filter> diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml new file mode 100644 index 0000000000..b8c94c82e4 --- /dev/null +++ b/examples/xml/nwfilter/no-ip-spoofing.xml @@ -0,0 +1,7 @@ +<filter name='no-ip-spoofing' chain='ipv4'> + + <!-- drop if srcipaddr is not the IP address of the guest --> + <rule action='drop' direction='out'> + <ip match='no' srcipaddr='$IP' /> + </rule> +</filter> diff --git a/examples/xml/nwfilter/no-mac-broadcast.xml b/examples/xml/nwfilter/no-mac-broadcast.xml new file mode 100644 index 0000000000..74e65bf726 --- /dev/null +++ b/examples/xml/nwfilter/no-mac-broadcast.xml @@ -0,0 +1,8 @@ +<filter name='no-mac-broadcast' chain='ipv4'> + <!-- drop if destination mac is bcast mac addr. --> + <rule action='drop' direction='out'> + <mac dstmacaddr='ff:ff:ff:ff:ff:ff' /> + </rule> + + <!-- not doing anything with receiving side ... --> +</filter> diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml new file mode 100644 index 0000000000..f210623271 --- /dev/null +++ b/examples/xml/nwfilter/no-mac-spoofing.xml @@ -0,0 +1,5 @@ +<filter name='no-mac-spoofing' chain='ipv4'> + <rule action='drop' direction='out' priority='10'> + <mac match='no' srcmacaddr='$MAC' /> + </rule> +</filter> diff --git a/examples/xml/nwfilter/no-other-l2-traffic.xml b/examples/xml/nwfilter/no-other-l2-traffic.xml new file mode 100644 index 0000000000..8bad86ef52 --- /dev/null +++ b/examples/xml/nwfilter/no-other-l2-traffic.xml @@ -0,0 +1,7 @@ +<filter name='no-other-l2-traffic'> + + <!-- drop all other l2 traffic than for which rules have been + written for; i.e., drop all other than arp and ipv4 traffic --> + <rule action='drop' direction='inout' priority='1000'/> + +</filter> |