++ hacking in ucloud
This commit is contained in:
Nico Schottelius
parent
e890c45dbf
commit
5be0e26669
2 changed files with 84 additions and 0 deletions
7
hack/README.org
Normal file
7
hack/README.org
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
This directory contains unfinishe hacks / inspirations
|
||||||
|
* firewalling / networking in ucloud
|
||||||
|
** automatically route a network per VM - /64?
|
||||||
|
** nft: one chain per VM on each vm host (?)
|
||||||
|
*** might have scaling issues?
|
||||||
|
** firewall rules on each VM host
|
||||||
|
- mac filtering:
|
||||||
77
hack/nftables.conf
Normal file
77
hack/nftables.conf
Normal file
|
|
@ -0,0 +1,77 @@
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
table bridge filter {
|
||||||
|
chain prerouting {
|
||||||
|
type filter hook prerouting priority 0;
|
||||||
|
policy accept;
|
||||||
|
ibrname br100 jump netpublic
|
||||||
|
}
|
||||||
|
chain netpublic {
|
||||||
|
icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
table ip6 filter {
|
||||||
|
chain forward {
|
||||||
|
type filter hook forward priority 0;
|
||||||
|
|
||||||
|
# this would be nice...
|
||||||
|
policy drop;
|
||||||
|
|
||||||
|
ct state established,related accept;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
chain prerouting {
|
||||||
|
type filter hook prerouting priority 0;
|
||||||
|
policy accept;
|
||||||
|
|
||||||
|
# not supporting in here!
|
||||||
|
|
||||||
|
|
||||||
|
iifname vmXXXX jump vmXXXX
|
||||||
|
iifname vmYYYY jump vmYYYY
|
||||||
|
|
||||||
|
iifname brXX jump brXX
|
||||||
|
|
||||||
|
iifname vxlan100 jump vxlan100
|
||||||
|
iifname br100 jump br100
|
||||||
|
}
|
||||||
|
|
||||||
|
# 1. Rules per VM (names: vmXXXXX?
|
||||||
|
# 2. Rules per network (names: vxlanXXXX, what about non vxlan?)
|
||||||
|
# 3. Rules per bridge:
|
||||||
|
# vxlanXX is inside brXX
|
||||||
|
# This is effectively a network filter
|
||||||
|
# 4. Kill all malicous traffic:
|
||||||
|
# - router advertisements from VMs in which they should not announce RAs
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
chain vxlan100 {
|
||||||
|
icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
|
||||||
|
}
|
||||||
|
chain br100 {
|
||||||
|
icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
|
||||||
|
}
|
||||||
|
|
||||||
|
chain netpublic {
|
||||||
|
# drop router advertisements that don't come from us
|
||||||
|
iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
|
||||||
|
# icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# This vlan
|
||||||
|
chain brXX {
|
||||||
|
ip6 saddr != 2001:db8:1::/64 drop;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain vmXXXX {
|
||||||
|
ether saddr != 00:0f:54:0c:11:04 drop;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain vmYYYY {
|
||||||
|
ether saddr != 00:0f:54:0c:11:05 drop;
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue