Add some examples filters

This patch adds some example filters to libvirt. They are automatically installed into the proper directory for libvirt to pick them up.
2010-03-25 13:46:13 -04:00 · 2010-03-25 13:46:13 -04:00 · e3a7137ac2
parent 1130085cf0
commit e3a7137ac2
15 changed files with 170 additions and 2 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -5,7 +5,8 @@ GENHTML = genhtml

 SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
  python tests po examples/domain-events/events-c examples/hellolibvirt \
-  examples/dominfo examples/domsuspend examples/python examples/apparmor
+  examples/dominfo examples/domsuspend examples/python examples/apparmor \
+  examples/xml/nwfilter

 ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4

--- a/configure.ac
+++ b/configure.ac
@ -1987,7 +1987,8 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
          examples/domsuspend/Makefile \
          examples/dominfo/Makefile \
          examples/python/Makefile \
-          examples/hellolibvirt/Makefile)
+          examples/hellolibvirt/Makefile \
+          examples/xml/nwfilter/Makefile)

 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Configuration summary])
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@ -0,0 +1,30 @@
+
+FILTERS = \
+	allow-arp.xml \
+	allow-dhcp-server.xml \
+	allow-dhcp.xml \
+	allow-incoming-ipv4.xml \
+	allow-ipv4.xml \
+	clean-traffic.xml \
+	no-arp-spoofing.xml \
+	no-ip-multicast.xml \
+	no-ip-spoofing.xml \
+	no-mac-broadcast.xml \
+	no-mac-spoofing.xml \
+	no-other-l2-traffic.xml
+
+confdir = $(sysconfdir)/libvirt
+
+NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
+
+install-data-local:
+	$(MKDIR_P) "$(NWFILTER_DIR)"
+	for f in $(FILTERS); do \
+		$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
+	done
+
+uninstall-local::
+	for f in $(FILTERS); do \
+		rm -f "$(NWFILTER_DIR)/$$f"; \
+	done
+	-test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR)
--- a/examples/xml/nwfilter/allow-arp.xml
+++ b/examples/xml/nwfilter/allow-arp.xml
@ -0,0 +1,3 @@
+<filter name='allow-arp' chain='arp'>
+  <rule direction='inout' action='accept'/>
+</filter>
--- a/examples/xml/nwfilter/allow-dhcp-server.xml
+++ b/examples/xml/nwfilter/allow-dhcp-server.xml
@ -0,0 +1,24 @@
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from a specific DHCP server
+         parameter DHPCSERVER needs to be passed from where this filter is
+         referenced -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip srcipaddr='$DHCPSERVER'
+            protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
--- a/examples/xml/nwfilter/allow-dhcp.xml
+++ b/examples/xml/nwfilter/allow-dhcp.xml
@ -0,0 +1,21 @@
+<filter name='allow-dhcp' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- not, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from any DHCP server -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
--- a/examples/xml/nwfilter/allow-incoming-ipv4.xml
+++ b/examples/xml/nwfilter/allow-incoming-ipv4.xml
@ -0,0 +1,3 @@
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+  <rule direction='in' action='accept'/>
+</filter>
--- a/examples/xml/nwfilter/allow-ipv4.xml
+++ b/examples/xml/nwfilter/allow-ipv4.xml
@ -0,0 +1,3 @@
+<filter name='allow-ipv4' chain='ipv4'>
+  <rule direction='inout' action='accept'/>
+</filter>
--- a/examples/xml/nwfilter/clean-traffic.xml
+++ b/examples/xml/nwfilter/clean-traffic.xml
@ -0,0 +1,17 @@
+<filter name='clean-traffic'>
+   <!-- An example of a traffic filter enforcing clean traffic
+        from a VM by
+      - preventing MAC spoofing -->
+   <filterref filter='no-mac-spoofing'/>
+
+   <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+   <filterref filter='no-ip-spoofing'/>
+   <filterref filter='allow-incoming-ipv4'/>
+
+   <!-- preventing ARP spoofing/poisoning -->
+   <filterref filter='no-arp-spoofing'/>
+
+   <!-- preventing any other traffic than IPv4 and ARP -->
+   <filterref filter='no-other-l2-traffic'/>
+
+</filter>
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@ -0,0 +1,29 @@
+<filter name='no-arp-spoofing' chain='arp'>
+   <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
+
+   <!-- no arp spoofing -->
+   <!-- drop if ipaddr or macaddr does not belong to guest -->
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcmacaddr='$MAC'/>
+   </rule>
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcipaddr='$IP' />
+   </rule>
+   <!-- drop if ipaddr or macaddr odes not belong to guest -->
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstmacaddr='$MAC'/>
+       <arp opcode='reply'/>
+   </rule>
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstipaddr='$IP' />
+   </rule>
+   <!-- accept only request or reply packets -->
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='request'/>
+   </rule>
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='reply'/>
+   </rule>
+   <!-- drop everything else -->
+   <rule action='drop' direction='inout' priority='1000' />
+</filter>
--- a/examples/xml/nwfilter/no-ip-multicast.xml
+++ b/examples/xml/nwfilter/no-ip-multicast.xml
@ -0,0 +1,9 @@
+<filter name='no-ip-multicast' chain='ipv4'>
+
+    <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+    <rule action='drop' direction='out'>
+        <ip dstipaddr='224.0.0.0' dstipmask='4' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@ -0,0 +1,7 @@
+<filter name='no-ip-spoofing' chain='ipv4'>
+
+    <!-- drop if srcipaddr is not the IP address of the guest -->
+    <rule action='drop' direction='out'>
+        <ip match='no' srcipaddr='$IP' />
+    </rule>
+</filter>
--- a/examples/xml/nwfilter/no-mac-broadcast.xml
+++ b/examples/xml/nwfilter/no-mac-broadcast.xml
@ -0,0 +1,8 @@
+<filter name='no-mac-broadcast' chain='ipv4'>
+    <!-- drop if destination mac is bcast mac addr. -->
+    <rule action='drop' direction='out'>
+        <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@ -0,0 +1,5 @@
+<filter name='no-mac-spoofing' chain='ipv4'>
+  <rule action='drop' direction='out' priority='10'>
+      <mac match='no' srcmacaddr='$MAC' />
+  </rule>
+</filter>
--- a/examples/xml/nwfilter/no-other-l2-traffic.xml
+++ b/examples/xml/nwfilter/no-other-l2-traffic.xml
@ -0,0 +1,7 @@
+<filter name='no-other-l2-traffic'>
+
+    <!-- drop all other l2 traffic than for which rules have been
+         written for; i.e., drop all other than arp and ipv4 traffic -->
+    <rule action='drop' direction='inout' priority='1000'/>
+
+</filter>