++ hacking in ucloud

2019-11-27 11:54:06 +01:00 · 2019-11-27 11:54:06 +01:00 · 5be0e26669
commit 5be0e26669
parent e890c45dbf
2 changed files with 84 additions and 0 deletions
--- a/hack/README.org
+++ b/hack/README.org
@ -0,0 +1,7 @@
+This directory contains unfinishe hacks / inspirations
+* firewalling / networking in ucloud
+** automatically route a network per VM - /64?
+** nft: one chain per VM on each vm host  (?)
+*** might have scaling issues?
+** firewall rules on each VM host
+   - mac filtering:
--- a/hack/nftables.conf
+++ b/hack/nftables.conf
@ -0,0 +1,77 @@
+flush ruleset
+
+table bridge filter {
+       chain prerouting {
+                type filter hook prerouting priority 0;
+                policy accept;
+                ibrname br100 jump netpublic
+                }
+       chain netpublic {
+       icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+       }
+}
+
+table ip6 filter {
+        chain forward {
+                type filter hook forward priority 0;
+
+                # this would be nice...
+                policy drop;
+
+                ct state established,related accept;
+
+        }
+
+        chain prerouting {
+                type filter hook prerouting priority 0;
+                policy accept;
+
+                # not supporting in here!
+
+
+                iifname vmXXXX jump vmXXXX
+                iifname vmYYYY jump vmYYYY
+
+                iifname brXX jump brXX
+
+                iifname vxlan100 jump vxlan100
+                iifname br100 jump br100
+        }
+
+        # 1. Rules per VM (names: vmXXXXX?
+        # 2. Rules per network (names: vxlanXXXX, what about non vxlan?)
+        # 3. Rules per bridge:
+        # vxlanXX is inside brXX
+        # This is effectively a network filter
+        # 4. Kill all malicous traffic:
+        # - router advertisements from VMs in which they should not announce RAs
+
+
+
+        chain vxlan100 {
+             icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+             }
+        chain br100 {
+              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+        }
+
+        chain netpublic {
+              # drop router advertisements that don't come from us
+              iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
+              # icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
+
+        }
+
+        # This vlan
+        chain brXX {
+             ip6   saddr != 2001:db8:1::/64 drop;
+        }
+
+        chain vmXXXX {
+             ether saddr != 00:0f:54:0c:11:04 drop;
+        }
+
+        chain vmYYYY {
+             ether saddr != 00:0f:54:0c:11:05 drop;
+        }
+}