++net notes

Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org>

ucloud/hack/README.org

@@ -5,3 +5,9 @@ This directory contains unfinishe hacks / inspirations
 *** might have scaling issues?
 ** firewall rules on each VM host
    - mac filtering:
+* To add / block
+** TODO arp poisoning
+** TODO ndp "poisoning"
+** TODO ipv4 dhcp server
+*** drop dhcpv4 requests
+*** drop dhcpv4 answers

ucloud/hack/nftables.conf

@@ -69,9 +69,26 @@ table ip6 filter {
 
         chain vmXXXX {
              ether saddr != 00:0f:54:0c:11:04 drop;
+             ip6   saddr != 2001:db8:1:000f::540c:11ff:fe04 drop;
+             jump drop_from_vm_without_ipam
+        }
+
+        chain net_2a0ae5c05something {
+
+
+        }
+
+        chain drop_from_vm_without_ipam {
+
         }
 
         chain vmYYYY {
              ether saddr != 00:0f:54:0c:11:05 drop;
+             jump drop_from_vm_with_ipam
+        }
+
+        # Drop stuff from every VM
+        chain drop_from_vm_with_ipam {
+              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
         }
 }