From 5be0e26669bcb30e81fc095c8fe835de6b9c917d Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Wed, 27 Nov 2019 11:54:06 +0100
Subject: [PATCH] ++ hacking in ucloud

---
 hack/README.org    |  7 +++++
 hack/nftables.conf | 77 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 hack/README.org
 create mode 100644 hack/nftables.conf

diff --git a/hack/README.org b/hack/README.org
new file mode 100644
index 0000000..a4668dd
--- /dev/null
+++ b/hack/README.org
@@ -0,0 +1,7 @@
+This directory contains unfinishe hacks / inspirations
+* firewalling / networking in ucloud
+** automatically route a network per VM - /64?
+** nft: one chain per VM on each vm host  (?)
+*** might have scaling issues?
+** firewall rules on each VM host
+   - mac filtering:
diff --git a/hack/nftables.conf b/hack/nftables.conf
new file mode 100644
index 0000000..3758db0
--- /dev/null
+++ b/hack/nftables.conf
@@ -0,0 +1,77 @@
+flush ruleset
+
+table bridge filter {
+       chain prerouting {
+                type filter hook prerouting priority 0;
+                policy accept;
+                ibrname br100 jump netpublic
+                }
+       chain netpublic {
+       icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+       }
+}
+
+table ip6 filter {
+        chain forward {
+                type filter hook forward priority 0;
+
+                # this would be nice...
+                policy drop;
+
+                ct state established,related accept;
+
+        }
+
+        chain prerouting {
+                type filter hook prerouting priority 0;
+                policy accept;
+
+                # not supporting in here!
+
+
+                iifname vmXXXX jump vmXXXX
+                iifname vmYYYY jump vmYYYY
+
+                iifname brXX jump brXX
+
+                iifname vxlan100 jump vxlan100
+                iifname br100 jump br100
+        }
+
+        # 1. Rules per VM (names: vmXXXXX?
+        # 2. Rules per network (names: vxlanXXXX, what about non vxlan?)
+        # 3. Rules per bridge:
+        # vxlanXX is inside brXX
+        # This is effectively a network filter
+        # 4. Kill all malicous traffic:
+        # - router advertisements from VMs in which they should not announce RAs
+
+
+
+        chain vxlan100 {
+             icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+             }
+        chain br100 {
+              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+        }
+
+        chain netpublic {
+              # drop router advertisements that don't come from us
+              iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
+              # icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
+
+        }
+
+        # This vlan
+        chain brXX {
+             ip6   saddr != 2001:db8:1::/64 drop;
+        }
+
+        chain vmXXXX {
+             ether saddr != 00:0f:54:0c:11:04 drop;
+        }
+
+        chain vmYYYY {
+             ether saddr != 00:0f:54:0c:11:05 drop;
+        }
+}
\ No newline at end of file