Skip to content

OpenNebula addon to complete the spoofing filter rules generated by OpenNebula

License

Notifications You must be signed in to change notification settings

storpool/addon-vnfilter

Repository files navigation

addon-vnfilter

OpenNebula addon to complete the spoofing filter rules generated by OpenNebula

The following use cases are covered:

  • Alias IPv4 and IPv6 spoofing filtering when Alias is attached to Ethernet only NIC (VNM/post.d)
  • Alias IPv4 and IPv6 spoofing filtering when Alias is detached from Ethernet only NIC (VNM/clean.d)
  • Alias IPv4 and IPv6 spoofing filtering on Alias hotplug (via Host hook)
  • ARP filtering when FILTER_MAC_SPOOFING is enabled

The currently supported VN MADs are 802.1Q and fw(Bridged & Security Groups).

Installation

Copy the files on the front-end and change the ownership to the oneadmin user

cp -a remotes/ /var/lib/one/

chown -R oneadmin.oneadmin /var/lib/one/remotes/

Install the nokogiri rubygem on the hosts. The following example is for CentOS 7, check the Os docs/packages if other OS is used.

yum -y --enablerepo=epel install rubygem-nokogiri

Almalinux/Rocky had no rubygem-nokogiri in EPEL so install opennebula-rubygems package from OpenNebula 5.12+ on the hosts.

dnf -y install opennebula-rubygems

For Ubuntu...

sudo apt -y install opennebula-rubygems

Enable oneadmin to execute ebtables-save on the hosts.

echo "oneadmin ALL=(ALL) NOPASSWD: /usr/sbin/ebtables-save" |sudo tee /etc/sudoers.d/vnfilter
sudo chmod 0440 /etc/sudoers.d/vnfilter

Sync the OpenNebula MADs to the hosts

su - oneadmin
onehost sync --force

Register the hook

onehook create vnfilter.hooktemplate

How it works

The addon is using the redesigned in OpenNebula 5.10 VN_MAD and HOOK systems to extend the functionality as follow:

  • vnm/MAD/post.d/vnfilter_post - The script is called when a VM is started or a NIC interface is added. The integration is almost flawless. In the case when a Ethernet only nic is defined with all IP's assigned as Alias IPs the addon is patching the iptables chains generated by OpenNebula with a hard-coded offset to add the ip-spoofing whitelist chain. Currently the offsets are 2 for the IPv4 chains and 5 for the IPv6 chains(works for OpenNebula 5.10.0 and 5.10.1).

  • vnm/MAD/clean.d/vnfilter_clean - The script is called when a VM is stopped or a NIC interface is removed to remove the anti-spoofing rules.

  • hooks/alias_ip/vnfilter.rb - The script is registered as a Host hook and is executed on the hosts. It is covering the handling of hotplug add and remove of Alias IPs (both IPv4 and IPv6)

The ARP filtering is implemented using ebtables, the rules are following the ARP spoofing filters implemented in libvirt.

Once enabled it is enough to live-migrate a VM for the new rules to be applied on the VM interfaces on the host.

Improvements

There is a lot of room for improvements and not all use cases tested so pull requests are highly appreciated.

Debugging

The scripts logs all issued commands to syslog so it is good to take a look there beside looking at the iptables, ebtables(nat table) and ipset rules.

Uninstall

The uninstall procedure is in two steps as follow:

  • Step 1
    • delete the vnfilter hook with onehook delete $VNFILTER_HOOK_ID
    • delete the post.d files on the frontend(s) rm /var/lib/one/remotes/vnm/*/post.d/vnfilter*
    • delete the post.d files on the hosts rm /var/tmp/one/vnm/*/post.d/vnfilter*
    • migrate (live) the VMs between the hosts
  • Step 2
    • delete the clean.d files on the frontend(s) rm /var/lib/one/remotes/vnm/*/clean.d/vnfilter* and on the hosts rm /var/tmp/one/vnm/*/clean.d/vnfilter*
    • delete the clean.d files on the hosts rm /var/tmp/one/vnm/*/clean.d/vnfilter*
    • delete the rest of the vnfilter files on the frontend(s) rm /var/lib/one/remotes/vnm/vnfilter* /var/lib/one/remotes/hooks/alias_ip/vnfilter*
    • delete the rest of the vnfilter files on the hosts rm /var/tmp/one/vnm/vnfilter* /var/tmp/one/hooks/alias_ip/vnfilter* /etc/sudoers.d/vnfilter

About

OpenNebula addon to complete the spoofing filter rules generated by OpenNebula

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •