2019-11-27 10:54:06 +00:00
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
table bridge filter {
|
|
|
|
chain prerouting {
|
|
|
|
type filter hook prerouting priority 0;
|
|
|
|
policy accept;
|
|
|
|
ibrname br100 jump netpublic
|
|
|
|
}
|
|
|
|
chain netpublic {
|
|
|
|
icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
table ip6 filter {
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority 0;
|
|
|
|
|
|
|
|
# this would be nice...
|
|
|
|
policy drop;
|
|
|
|
|
|
|
|
ct state established,related accept;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
chain prerouting {
|
|
|
|
type filter hook prerouting priority 0;
|
|
|
|
policy accept;
|
|
|
|
|
|
|
|
# not supporting in here!
|
|
|
|
|
|
|
|
|
|
|
|
iifname vmXXXX jump vmXXXX
|
|
|
|
iifname vmYYYY jump vmYYYY
|
|
|
|
|
|
|
|
iifname brXX jump brXX
|
|
|
|
|
|
|
|
iifname vxlan100 jump vxlan100
|
|
|
|
iifname br100 jump br100
|
|
|
|
}
|
|
|
|
|
|
|
|
# 1. Rules per VM (names: vmXXXXX?
|
|
|
|
# 2. Rules per network (names: vxlanXXXX, what about non vxlan?)
|
|
|
|
# 3. Rules per bridge:
|
|
|
|
# vxlanXX is inside brXX
|
|
|
|
# This is effectively a network filter
|
|
|
|
# 4. Kill all malicous traffic:
|
|
|
|
# - router advertisements from VMs in which they should not announce RAs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
chain vxlan100 {
|
|
|
|
icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
|
|
|
|
}
|
|
|
|
chain br100 {
|
|
|
|
icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
|
|
|
|
}
|
|
|
|
|
|
|
|
chain netpublic {
|
|
|
|
# drop router advertisements that don't come from us
|
|
|
|
iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
|
|
|
|
# icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
# This vlan
|
|
|
|
chain brXX {
|
|
|
|
ip6 saddr != 2001:db8:1::/64 drop;
|
|
|
|
}
|
|
|
|
|
|
|
|
chain vmXXXX {
|
|
|
|
ether saddr != 00:0f:54:0c:11:04 drop;
|
2019-12-06 23:49:57 +00:00
|
|
|
ip6 saddr != 2001:db8:1:000f::540c:11ff:fe04 drop;
|
|
|
|
jump drop_from_vm_without_ipam
|
|
|
|
}
|
|
|
|
|
|
|
|
chain net_2a0ae5c05something {
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
chain drop_from_vm_without_ipam {
|
|
|
|
|
2019-11-27 10:54:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain vmYYYY {
|
|
|
|
ether saddr != 00:0f:54:0c:11:05 drop;
|
2019-12-06 23:49:57 +00:00
|
|
|
jump drop_from_vm_with_ipam
|
|
|
|
}
|
|
|
|
|
|
|
|
# Drop stuff from every VM
|
|
|
|
chain drop_from_vm_with_ipam {
|
|
|
|
icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
|
2019-11-27 10:54:06 +00:00
|
|
|
}
|
|
|
|
}
|