--- xen-unstable.hg/vif-common.sh 2008-10-08 13:50:15.000000000 -0400 +++ dynspring/vif-common.sh 2008-10-09 15:01:22.000000000 -0400 @@ -48,11 +48,14 @@ ip=${ip:-} ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip") +# Added by CvW on 09-09-2008 +mac=${mac:-} +mac=$(xenstore_read_default "$XENBUS_PATH/mac" "$mac") + # Check presence of compulsory args. XENBUS_PATH="${XENBUS_PATH:?}" vif="${vif:?}" - vifname=$(xenstore_read_default "$XENBUS_PATH/vifname" "") if [ "$vifname" ] then @@ -64,7 +67,47 @@ fi -frob_iptable() +# CvW: Duplicate of frob_iptable_physdevout, except ip6tables is used +frob_ip6table_physdevout() +{ + if [ "$command" == "online" ] + then + local c="-A" + else + local c="-D" + fi + + ip6tables "$c" FORWARD -m physdev --physdev-out "$vif" "$@" -j ACCEPT \ + 2>/dev/null || + [ "$c" == "-D" ] || + log err \ + "ip6tables $c FORWARD -m physdev --physdev-out $vif $@ -j ACCEPT failed. +If you are using iptables, this may affect networking for guest domains." +} + +# CvW: Duplicate of frob_iptable, except ip6tables is used +frob_ip6table() +{ + if [ "$command" == "online" ] + then + local c="-A" + else + local c="-D" + fi + + # This is the default iptables edit that was included with the base + # Xen scripts + ip6tables "$c" FORWARD -m physdev --physdev-in "$vif" --physdev-out peth0 "$@" -j ACCEPT \ + 2>/dev/null || + [ "$c" == "-D" ] || + log err \ + "ip6tables $c FORWARD -m physdev --physdev-in $vif --physdev-out peth0 $@ -j ACCEPT failed. +If you are using iptables, this may affect networking for guest domains." +} + +# CvW: This was added 8-24-2008 to add rules for physdev-out, which +# means packets leaving the bridge and into the domU. +frob_iptable_physdevout() { if [ "$command" == "online" ] then @@ -73,14 +116,53 @@ local c="-D" fi - iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ + iptables "$c" FORWARD -m physdev --physdev-out "$vif" "$@" -j ACCEPT \ 2>/dev/null || [ "$c" == "-D" ] || log err \ - "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed. + "iptables $c FORWARD -m physdev --physdev-out $vif $@ -j ACCEPT failed. If you are using iptables, this may affect networking for guest domains." } +# CvW: This is modeled after frob_iptable. +frob_arptable() +{ + if [ "$command" == "online" ] + then + local c="-A" + else + local c="-D" + fi + + arptables "$c" FORWARD "$@" -j ACCEPT \ + 2>/dev/null || + [ "$c" == "-D" ] || + log err \ + "arptables $c FORWARD $@ -j ACCEPT failed. +If you are using arptables, this may affect networking for guest domains." +} + +# CvW: This is the default iptable handling method, but it only configures +# physdev-in, meaning packets leaving the domU and heading into the bridge +# (i.e., out to the network). +frob_iptable() +{ + if [ "$command" == "online" ] + then + local c="-A" + else + local c="-D" + fi + + # This is the default iptables edit that was included with the base + # Xen scripts + iptables "$c" FORWARD -m physdev --physdev-in "$vif" --physdev-out peth0 "$@" -j ACCEPT \ + 2>/dev/null || + [ "$c" == "-D" ] || + log err \ + "iptables $c FORWARD -m physdev --physdev-in $vif --physdev-out peth0 $@ -j ACCEPT failed. +If you are using iptables, this may affect networking for guest domains." +} ## # Add or remove the appropriate entries in the iptables. With antispoofing @@ -105,17 +187,129 @@ local addr for addr in $ip do - frob_iptable -s "$addr" + # Enable anti-spoof and anti-sniffing rules + frob_iptable -s "$addr" + frob_iptable_physdevout -d "$addr" done + # Disabled by CvW on 8-24-08 since we don't use DHCP # Always allow the domain to talk to a DHCP server. - frob_iptable -p udp --sport 68 --dport 67 + # frob_iptable -p udp --sport 68 --dport 67 + else + # No IP addresses have been specified, so log an error. + log err "No IP address was specified. Default behavior would have been +to allow anything, but this changed on 8-24-08 by CvW to throw this error and +enable nothing." + fi +} + +# Added by CvW +handle_ip6table() +{ + # Check for a working ip6tables installation. Checking for the ip6tables + # binary is not sufficient, because the user may not have the appropriate + # modules installed. If ip6tables is not working, then there's no need to do + # anything with it, so we can just return. + if ! ip6tables -L -n >&/dev/null + then + log err "The ip6tables binary was not found." + return + fi + + # Currently limiting IPv6 to just the public interface VIF0, which will map to eth0 in the domUs + VIF0_REGEX="vif(.*)\.0" + if [[ "$vif" =~ "$VIF0_REGEX" ]]; then + log debug "Will configure $vif for IPv6 in ip6tables." + else + log debug "Will NOT configure $vif for IPv6 in ip6tables." + return + fi + + if [ "$command" == "online" ] + then + # For bringing the interface online, we'll need to get the IPv6 address from the + # /etc/xen/domU.cfg file, which we've stored in a proprietary "#ipv6=" comment. + + # We need the domain ID to get the domain name to get the config file... Ugh! + DOMID_REGEX="backend/vif/(.*)/" + + if [[ "$XENBUS_PATH" =~ "$DOMID_REGEX" ]]; then + DOMID=${BASH_REMATCH[1]} + else + log err "Failed to hack domID from XENBUS_PATH ${XENBUS_PATH} for setting the ip6tables rules." + return + fi + + DOMU_NAME=$(xenstore_read "/local/domain/$DOMID/name") + log debug "Preparing to search for IPv6 addresses for domU ${DOMU_NAME}" + + DOMU_CONFIG=`cat /etc/xen/${DOMU_NAME}.cfg` + IPV6_REGEX="#ipv6=([a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:[a-fA-F0-9]{4})" + + if [[ "$DOMU_CONFIG" =~ "$IPV6_REGEX" ]]; then + IPV6_ADDRESS=${BASH_REMATCH[1]} + else + log info "No IPv6 address provided in config for ${DOMU_NAME}. Will not configure ip6tables." + return + fi + $(xenstore_write "$XENBUS_PATH/springipv6" "$IPV6_ADDRESS") else - # No IP addresses have been specified, so allow anything. - frob_iptable + # For anything else, we can't guarantee access to the name of the domU in this code + # to retrieve the IPv6 address from the file. Instead, we'll need to read it from + # the xenstore, where we placed it during the "online" command. + IPV6_ADDRESS=$(xenstore_read_default "$XENBUS_PATH/springipv6" "") + if [ "$IPV6_ADDRESS" == ""]; then + log err "Failed to retrieve the IPv6 address from the hackish springipv6 xenstore entry. Probably leaving ip6tables rules floating arround." + return + fi fi + + log info "Configuring ${IPV6_ADDRESS} in ip6tables for command ${command}." + + frob_ip6table -s "$IPV6_ADDRESS" + frob_ip6table_physdevout -d "$IPV6_ADDRESS" + + log info "Done configuring ${IPV6_ADDRESS} in ip6tables." } +# Added by CvW on 09-09-2008 +handle_arptable() +{ + # Check for a working arptables installation. Checking for the arptables + # binary is not sufficient, because the user may not have the appropriate + # modules installed. If arptables is not working, then there's no need to do + # anything with it, so we can just return. + if ! arptables -L -n >&/dev/null + then + return + fi + + # This method is called once per virtual interface. This means we're guaranteed + # to only see a single MAC address. It is possible, however, to see multiple + # IP addresses for this MAC address + + if [ "$mac" != "" ] && + [ "$ip" != "" ] + then + # Restrict arp traffic, such that all requests pass successfully, but + # this virtual interface can only provide a reply if it is an approved + # MAC/IP pair. + frob_arptable --opcode Request --in-interface "$vif" + frob_arptable --opcode Request --out-interface "$vif" + frob_arptable --opcode Reply --out-interface "$vif" --in-interface peth0 + + # The rule restricting replies must be done for each valid IP address. + local addr + for addr in $ip + do + frob_arptable --opcode Reply --in-interface "$vif" --source-ip "$addr" --source-mac "$mac" + done + else + # No MAC or IP addresses have been specified, so log an error. + log err "No MAC or IP address was specified. Default DROP policy applies to this domU, and +no ARP traffic will be allowed through the bridge." + fi +} ## # ip_of interface @@ -149,3 +343,4 @@ fi echo "$result" } +