Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VN_MAD=fw IP spoofing block NIC Aliasses #3354

Closed
7 tasks
atodorov-storpool opened this issue May 18, 2019 · 9 comments
Closed
7 tasks

VN_MAD=fw IP spoofing block NIC Aliasses #3354

atodorov-storpool opened this issue May 18, 2019 · 9 comments

Comments

@atodorov-storpool
Copy link
Contributor

Description
Added IPs as NIC aliases are blocked by the firewall on the host

To Reproduce
Add a NIC alias to VM interface with VN_MAD=fw and try to ping the address from internet.

Expected behavior
The alias IP should be reachable.

Details

  • Affected Component: [Network]
  • Hypervisor: [KVM]
  • Version: [5.8.x]

Additional context
The alias IPs are not included in the ipset on the host. Manually adding them to the ipset makes them reachable.
The alias IPs are missing from the libvirt filter too. I mean the clean-trafic rule in the domain XML - there is param entry for the primary ip only.

Progress Status

  • Branch created
  • Code committed to development branch
  • Testing - QA
  • Documentation
  • Release notes - resolved issues, compatibility, known issues
  • Code committed to upstream release/hotfix branches
  • Documentation committed to upstream release/hotfix branches
@atodorov-storpool atodorov-storpool changed the title VN_MAD=fw IP spoofing block NIC Aliases VN_MAD=fw IP spoofing block NIC Aliasses May 18, 2019
@atodorov-storpool
Copy link
Contributor Author

Looks like it is related related to #3079
But the IP spoofing filter

atodorov-storpool added a commit to atodorov-storpool/one that referenced this issue May 19, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
in src/vnm_mad/remotes/lib/vm.rb:
   add array of NIC aliases to the nic Array

in src/vnm_mad/remotes/lib/security_groups_iptables.rb
   update ipv4s(and ipv6s) with the alias ips

Signed-off-by: Anton Todorov <atodorov-storpool@users.noreply.github.com>
atodorov-storpool added a commit to atodorov-storpool/one that referenced this issue May 19, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
- src/vnm_mad/remotes/lib/vm.rb:
   add array of NIC aliases to the nic Array

- src/vnm_mad/remotes/lib/security_groups_iptables.rb:
   update ipv4s(and ipv6s) with the alias ips

Signed-off-by: Anton Todorov <a.todorov@storpool.com>
@atodorov-storpool
Copy link
Contributor Author

The patch for MAC spoofing filter for #3079 is not so trivial, though. At least on first read. So the patch is for this issue only...

@atodorov-storpool
Copy link
Contributor Author

The above patch resolve the case of VM resume.
Attaching nic is not resolved, trying to handle it with VM_HOOK on HOTPLUG_NIC but it is hard due to #3357

On a side note - the VM's Template passed to the VM_HOOK on HOTPLUG_NIC event contain flag ATTACH=YES when detaching a nic...

@atodorov-storpool
Copy link
Contributor Author

And the net_fw_hook that handle the hotplug add/remove of a NIC alias

@al3xhh al3xhh self-assigned this Jun 12, 2019
@al3xhh al3xhh added this to the Release 5.10 milestone Jun 12, 2019
rsmontero pushed a commit that referenced this issue Jul 5, 2019
- src/vnm_mad/remotes/lib/vm.rb:
   add array of NIC aliases to the nic Array

- src/vnm_mad/remotes/lib/security_groups_iptables.rb:
   update ipv4s(and ipv6s) with the alias ips

Signed-off-by: Anton Todorov <a.todorov@storpool.com>
@rsmontero
Copy link
Member

After discussing this with the team, it is probably a better idea to have pre_alias, post_alias, clean_alias scripts to configure any thing related to the alias interface in the network.

rsmontero added a commit that referenced this issue Jul 10, 2019

Verified

This commit was signed with the committer’s verified signature.
rsmontero Ruben S. Montero
This reverts commit dd72b19.
atodorov-storpool added a commit to storpool/one that referenced this issue Aug 13, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
- src/vnm_mad/remotes/lib/vm.rb:
   add array of NIC aliases to the nic Array

- src/vnm_mad/remotes/lib/security_groups_iptables.rb:
   update ipv4s(and ipv6s) with the alias ips

Signed-off-by: Anton Todorov <a.todorov@storpool.com>
atodorov-storpool added a commit to storpool/one that referenced this issue Aug 13, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
- src/vnm_mad/remotes/lib/vm.rb:
   add array of NIC aliases to the nic Array

- src/vnm_mad/remotes/lib/security_groups_iptables.rb:
   update ipv4s(and ipv6s) with the alias ips
atodorov-storpool added a commit to storpool/one that referenced this issue Sep 26, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
- src/vnm_mad/remotes/lib/vm.rb:
   add array of NIC aliases to the nic Array

- src/vnm_mad/remotes/lib/security_groups_iptables.rb:
   update ipv4s(and ipv6s) with the alias ips
@atodorov-storpool
Copy link
Contributor Author

Working on this (also addressing #869)...

But there is no nokogiri on the nodes. So I am in doubt to install opennebula-ruby on the nodes or to install and use the OS package for ruby-nokogiri?

@atodorov-storpool
Copy link
Contributor Author

Forgot to clarify - nokogiri is needed for the HOTPLUG_NIC hook that will handle the live IP ALIAS add/remove

atodorov-storpool added a commit to atodorov-storpool/one that referenced this issue Nov 27, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP spoofing
 handle hotplug_nic events via a hook
@atodorov-storpool
Copy link
Contributor Author

atodorov-storpool commented Nov 27, 2019

Some comments on the above commit (atodorov-storpool@b07dbfa)

In the case when the primary NIC is Ethernet only the iptables rules to handle the ipset(s) are not created - just a sink hole is defined. So the script try to patch these chanis...

Wrote as a separate driver because in the default classes there is no information for the IP aliases.

Using ebtables instead of arptables because ebtables are already installed/available on the hosts.

Also, having everything in separate files allow to add this functionality to current 5.10.0 just by dropping files and defining a hook...

Any comments/sugstions are welcome

atodorov-storpool added a commit to atodorov-storpool/one that referenced this issue Nov 29, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
atodorov-storpool added a commit to storpool/one that referenced this issue Nov 29, 2019

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
@tinova tinova modified the milestones: Release 5.12, Release 5.12.1 Jun 16, 2020
atodorov-storpool added a commit to storpool/one that referenced this issue Jun 17, 2020

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
@tinova tinova modified the milestones: Release 5.12.1, Release 5.12.2 Jul 8, 2020
@tinova tinova modified the milestones: Release 5.12.2, Release 5.12.3 Aug 5, 2020
@tinova tinova modified the milestones: Release 5.12.3, Release 5.12.4 Sep 3, 2020
@tinova tinova modified the milestones: Release 5.12.4, Release 5.12.5 Sep 23, 2020
@tinova tinova modified the milestones: Release 5.12.5, Release 5.12.6 Oct 21, 2020
@tinova tinova modified the milestones: Release 5.12.6, Release 5.12.7 Nov 5, 2020
atodorov-storpool added a commit to storpool/one that referenced this issue Nov 5, 2020

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
atodorov-storpool added a commit to storpool/one that referenced this issue Nov 27, 2020

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
atodorov-storpool added a commit to storpool/one that referenced this issue Nov 27, 2020

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
@tinova tinova modified the milestones: Release 5.12.7, Release 5.12.8 Dec 17, 2020
atodorov-storpool added a commit to storpool/one that referenced this issue Jan 4, 2021

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
atodorov-storpool added a commit to storpool/one that referenced this issue Jan 7, 2021

Verified

This commit was signed with the committer’s verified signature.
atodorov-storpool Anton Todorov
 handle ARP + Alias IPs
 handle IPv4 + Alias IPs
 handle IPv6 + Alias IPs, SLAAC
 handle HOTPLUG_NIC events for Alias IPs via a hook
@tinova tinova modified the milestones: Release 5.12.8, Release 5.12.9 Feb 18, 2021
@rsmontero rsmontero modified the milestones: Release 5.12.9, Release 6.2 Mar 10, 2021
@rdiaz-on
Copy link
Contributor

This issue has been fixed.

feldsam pushed a commit to FELDSAM-INC/one that referenced this issue Nov 4, 2024
handle ARP + Alias IPs
handle IPv4 + Alias IPs
handle IPv6 + Alias IPs, SLAAC
handle HOTPLUG_NIC events for Alias IPs

Signed-off-by: Kristian Feldsam <feldsam@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants