-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VN_MAD=fw IP spoofing block NIC Aliasses #3354
Comments
Looks like it is related related to #3079 |
in src/vnm_mad/remotes/lib/vm.rb: add array of NIC aliases to the nic Array in src/vnm_mad/remotes/lib/security_groups_iptables.rb update ipv4s(and ipv6s) with the alias ips Signed-off-by: Anton Todorov <atodorov-storpool@users.noreply.github.com>
- src/vnm_mad/remotes/lib/vm.rb: add array of NIC aliases to the nic Array - src/vnm_mad/remotes/lib/security_groups_iptables.rb: update ipv4s(and ipv6s) with the alias ips Signed-off-by: Anton Todorov <a.todorov@storpool.com>
The patch for MAC spoofing filter for #3079 is not so trivial, though. At least on first read. So the patch is for this issue only... |
The above patch resolve the case of VM resume. On a side note - the VM's Template passed to the VM_HOOK on HOTPLUG_NIC event contain flag ATTACH=YES when detaching a nic... |
And the net_fw_hook that handle the hotplug add/remove of a NIC alias |
After discussing this with the team, it is probably a better idea to have pre_alias, post_alias, clean_alias scripts to configure any thing related to the alias interface in the network. |
- src/vnm_mad/remotes/lib/vm.rb: add array of NIC aliases to the nic Array - src/vnm_mad/remotes/lib/security_groups_iptables.rb: update ipv4s(and ipv6s) with the alias ips Signed-off-by: Anton Todorov <a.todorov@storpool.com>
- src/vnm_mad/remotes/lib/vm.rb: add array of NIC aliases to the nic Array - src/vnm_mad/remotes/lib/security_groups_iptables.rb: update ipv4s(and ipv6s) with the alias ips
- src/vnm_mad/remotes/lib/vm.rb: add array of NIC aliases to the nic Array - src/vnm_mad/remotes/lib/security_groups_iptables.rb: update ipv4s(and ipv6s) with the alias ips
Working on this (also addressing #869)... But there is no nokogiri on the nodes. So I am in doubt to install opennebula-ruby on the nodes or to install and use the OS package for ruby-nokogiri? |
Forgot to clarify - nokogiri is needed for the HOTPLUG_NIC hook that will handle the live IP ALIAS add/remove |
handle ARP spoofing handle hotplug_nic events via a hook
Some comments on the above commit (atodorov-storpool@b07dbfa) In the case when the primary NIC is Ethernet only the iptables rules to handle the ipset(s) are not created - just a sink hole is defined. So the script try to patch these chanis... Wrote as a separate driver because in the default classes there is no information for the IP aliases. Using ebtables instead of arptables because ebtables are already installed/available on the hosts. Also, having everything in separate files allow to add this functionality to current 5.10.0 just by dropping files and defining a hook... Any comments/sugstions are welcome |
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs via a hook
This issue has been fixed. |
handle ARP + Alias IPs handle IPv4 + Alias IPs handle IPv6 + Alias IPs, SLAAC handle HOTPLUG_NIC events for Alias IPs Signed-off-by: Kristian Feldsam <feldsam@gmail.com>
Description
Added IPs as NIC aliases are blocked by the firewall on the host
To Reproduce
Add a NIC alias to VM interface with
VN_MAD=fw
and try to ping the address from internet.Expected behavior
The alias IP should be reachable.
Details
Additional context
The alias IPs are not included in the ipset on the host. Manually adding them to the ipset makes them reachable.
The alias IPs are missing from the libvirt filter too. I mean the clean-trafic rule in the domain XML - there is param entry for the primary ip only.
Progress Status
The text was updated successfully, but these errors were encountered: