OpenNebula addon to complete the spoofing filter rules generated by OpenNebula
The following use cases are covered:
- Alias IPv4 and IPv6 spoofing filtering when Alias is attached to Ethernet only NIC (VNM/post.d)
- Alias IPv4 and IPv6 spoofing filtering when Alias is detached from Ethernet only NIC (VNM/clean.d)
- Alias IPv4 and IPv6 spoofing filtering on Alias hotplug (via Host hook)
- ARP filtering when FILTER_MAC_SPOOFING is enabled
The currently supported VN MADs are 802.1Q and fw(Bridged & Security Groups).
Copy the files on the front-end and change the ownership to the oneadmin user
cp -a remotes/ /var/lib/one/
chown -R oneadmin.oneadmin /var/lib/one/remotes/The addon shells out to iptables, ip6tables, ipset, ebtables and
ebtables-save, and its host hook uses the nokogiri and rexml Ruby
gems. The easiest way to install everything is to run the bundled
installer from the addon directory on each KVM host:
sudo HOST_INSTALL=1 bash install.shThe equivalent manual commands are:
sudo dnf -y install \
opennebula-rubygems \
rubygem-rexml \
iptables-nft \
ipset
# EL8 only: ebtables ships in its own package
sudo dnf -y install iptables-ebtablessudo apt-get -y install \
opennebula-rubygems \
ruby-rexml \
iptables \
ebtables \
ipsetEnable oneadmin to execute ebtables-save on the hosts.
echo "oneadmin ALL=(ALL) NOPASSWD: /usr/sbin/ebtables-save" |sudo tee /etc/sudoers.d/vnfilter
sudo chmod 0440 /etc/sudoers.d/vnfilterOnce the packages are in place, the following commands should all succeed
on every KVM host (run as root or via sudo):
ruby -e "require 'rexml/document'; puts :ok"
iptables -V
ip6tables -V
ebtables -V
ipset -v
sudo -u oneadmin sudo -n ebtables-save >/dev/null && echo "sudoers OK"Sync the OpenNebula MADs to the hosts
su - oneadmin
onehost sync --forceRegister the hook
onehook create vnfilter.hooktemplateThe addon is using the redesigned in OpenNebula 5.10 VN_MAD and HOOK systems to extend the functionality as follow:
-
vnm/MAD/post.d/vnfilter_post - The script is called when a VM is started or a NIC interface is added. The integration is almost flawless. In the case when a Ethernet only nic is defined with all IP's assigned as Alias IPs the addon is patching the iptables chains generated by OpenNebula with a hard-coded offset to add the ip-spoofing whitelist chain. Currently the offsets are 2 for the IPv4 chains and 5 for the IPv6 chains(works for OpenNebula 5.10.0 and 5.10.1).
-
vnm/MAD/clean.d/vnfilter_clean - The script is called when a VM is stopped or a NIC interface is removed to remove the anti-spoofing rules.
-
hooks/alias_ip/vnfilter.rb - The script is registered as a Host hook and is executed on the hosts. It is covering the handling of hotplug add and remove of Alias IPs (both IPv4 and IPv6)
The ARP filtering is implemented using ebtables, the rules are following the ARP spoofing filters implemented in libvirt.
Once enabled it is enough to live-migrate a VM for the new rules to be applied on the VM interfaces on the host.
There is a lot of room for improvements and not all use cases tested so pull requests are highly appreciated.
The scripts logs all issued commands to syslog so it is good to take a look there beside looking at the iptables, ebtables(nat table) and ipset rules.
The uninstall procedure is in two steps as follow:
- Step 1
- delete the vnfilter hook with
onehook delete $VNFILTER_HOOK_ID - delete the post.d files on the frontend(s)
rm /var/lib/one/remotes/vnm/*/post.d/vnfilter* - delete the post.d files on the hosts
rm /var/tmp/one/vnm/*/post.d/vnfilter* - migrate (live) the VMs between the hosts
- delete the vnfilter hook with
- Step 2
- delete the clean.d files on the frontend(s)
rm /var/lib/one/remotes/vnm/*/clean.d/vnfilter*and on the hostsrm /var/tmp/one/vnm/*/clean.d/vnfilter* - delete the clean.d files on the hosts
rm /var/tmp/one/vnm/*/clean.d/vnfilter* - delete the rest of the vnfilter files on the frontend(s)
rm /var/lib/one/remotes/vnm/vnfilter* /var/lib/one/remotes/hooks/alias_ip/vnfilter* - delete the rest of the vnfilter files on the hosts
rm /var/tmp/one/vnm/vnfilter* /var/tmp/one/hooks/alias_ip/vnfilter* /etc/sudoers.d/vnfilter
- delete the clean.d files on the frontend(s)