uncloud/ucloud/hack/nftables.conf

flush ruleset

table bridge filter {
       chain prerouting {
                type filter hook prerouting priority 0;
                policy accept;
                ibrname br100 jump netpublic
                }
       chain netpublic {
       icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
       }
}

table ip6 filter {
        chain forward {
                type filter hook forward priority 0;

                # this would be nice...
                policy drop;

                ct state established,related accept;

        }

        chain prerouting {
                type filter hook prerouting priority 0;
                policy accept;

                # not supporting in here!


                iifname vmXXXX jump vmXXXX
                iifname vmYYYY jump vmYYYY

                iifname brXX jump brXX

                iifname vxlan100 jump vxlan100
                iifname br100 jump br100
        }

        # 1. Rules per VM (names: vmXXXXX?
        # 2. Rules per network (names: vxlanXXXX, what about non vxlan?)
        # 3. Rules per bridge:
        # vxlanXX is inside brXX
        # This is effectively a network filter
        # 4. Kill all malicous traffic:
        # - router advertisements from VMs in which they should not announce RAs


        chain vxlan100 {
             icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
             }
        chain br100 {
              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
        }

        chain netpublic {
              # drop router advertisements that don't come from us
              iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
              # icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop

        }

        # This vlan
        chain brXX {
             ip6   saddr != 2001:db8:1::/64 drop;
        }

        chain vmXXXX {
             ether saddr != 00:0f:54:0c:11:04 drop;
             ip6   saddr != 2001:db8:1:000f::540c:11ff:fe04 drop;
             jump drop_from_vm_without_ipam
        }

        chain net_2a0ae5c05something {


        }

        chain drop_from_vm_without_ipam {

        }

        chain vmYYYY {
             ether saddr != 00:0f:54:0c:11:05 drop;
             jump drop_from_vm_with_ipam
        }

        # Drop stuff from every VM
        chain drop_from_vm_with_ipam {
              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
        }
}
++ hacking in ucloud 2019-11-27 11:54:06 +01:00			`flush ruleset`

			`table bridge filter {`
			`chain prerouting {`
			`type filter hook prerouting priority 0;`
			`policy accept;`
			`ibrname br100 jump netpublic`
			`}`
			`chain netpublic {`
			`icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log`
			`}`
			`}`

			`table ip6 filter {`
			`chain forward {`
			`type filter hook forward priority 0;`

			`# this would be nice...`
			`policy drop;`

			`ct state established,related accept;`

			`}`

			`chain prerouting {`
			`type filter hook prerouting priority 0;`
			`policy accept;`

			`# not supporting in here!`


			`iifname vmXXXX jump vmXXXX`
			`iifname vmYYYY jump vmYYYY`

			`iifname brXX jump brXX`

			`iifname vxlan100 jump vxlan100`
			`iifname br100 jump br100`
			`}`

			`# 1. Rules per VM (names: vmXXXXX?`
			`# 2. Rules per network (names: vxlanXXXX, what about non vxlan?)`
			`# 3. Rules per bridge:`
			`# vxlanXX is inside brXX`
			`# This is effectively a network filter`
			`# 4. Kill all malicous traffic:`
			`# - router advertisements from VMs in which they should not announce RAs`



			`chain vxlan100 {`
			`icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log`
			`}`
			`chain br100 {`
			`icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log`
			`}`

			`chain netpublic {`
			`# drop router advertisements that don't come from us`
			`iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop`
			`# icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop`

			`}`

			`# This vlan`
			`chain brXX {`
			`ip6 saddr != 2001:db8:1::/64 drop;`
			`}`

			`chain vmXXXX {`
			`ether saddr != 00:0f:54:0c:11:04 drop;`
++net notes Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org> 2019-12-07 00:49:57 +01:00			`ip6 saddr != 2001:db8:1:000f::540c:11ff:fe04 drop;`
			`jump drop_from_vm_without_ipam`
			`}`

			`chain net_2a0ae5c05something {`


			`}`

			`chain drop_from_vm_without_ipam {`

++ hacking in ucloud 2019-11-27 11:54:06 +01:00			`}`

			`chain vmYYYY {`
			`ether saddr != 00:0f:54:0c:11:05 drop;`
++net notes Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org> 2019-12-07 00:49:57 +01:00			`jump drop_from_vm_with_ipam`
			`}`

			`# Drop stuff from every VM`
			`chain drop_from_vm_with_ipam {`
			`icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop`
++ hacking in ucloud 2019-11-27 11:54:06 +01:00			`}`
			`}`