OpenNebula addon to complete the spoofing filter rules generated by OpenNebula
The following use cases are covered:
- Alias IPv4 and IPv6 spoofing filtering when Alias is attached to Ethernet only NIC (VNM/post.d)
- Alias IPv4 and IPv6 spoofing filtering when Alias is detached from Ethernet only NIC (VNM/clean.d)
- Alias IPv4 and IPv6 spoofing filtering on Alias hotplug (via Host hook)
- ARP filtering when FILTER_MAC_SPOOFING is enabled
The currently supported VN MADs are 802.1Q and fw(Bridged & Security Groups).
Copy the files on the front-end and change the ownership to the oneadmin user
cp -a remotes/ /var/lib/one/
chown -R oneadmin.oneadmin /var/lib/one/remotes/
Install the nokogiri rubygem on the hosts. The following example is for CentOS 7, check the Os docs/packages if other OS is used.
yum -y --enablerepo=epel install rubygem-nokogiri
Almalinux/Rocky had no rubygem-nokogiri in EPEL so install opennebula-rubygems package from OpenNebula 5.12+ on the hosts.
dnf -y install opennebula-rubygems
For Ubuntu...
sudo apt -y install opennebula-rubygems
Enable oneadmin to execute ebtables-save on the hosts.
echo "oneadmin ALL=(ALL) NOPASSWD: /usr/sbin/ebtables-save" |sudo tee /etc/sudoers.d/vnfilter
sudo chmod 0440 /etc/sudoers.d/vnfilter
Sync the OpenNebula MADs to the hosts
su - oneadmin
onehost sync --force
Register the hook
onehook create vnfilter.hooktemplate
The addon is using the redesigned in OpenNebula 5.10 VN_MAD and HOOK systems to extend the functionality as follow:
-
vnm/MAD/post.d/vnfilter_post - The script is called when a VM is started or a NIC interface is added. The integration is almost flawless. In the case when a Ethernet only nic is defined with all IP's assigned as Alias IPs the addon is patching the iptables chains generated by OpenNebula with a hard-coded offset to add the ip-spoofing whitelist chain. Currently the offsets are 2 for the IPv4 chains and 5 for the IPv6 chains(works for OpenNebula 5.10.0 and 5.10.1).
-
vnm/MAD/clean.d/vnfilter_clean - The script is called when a VM is stopped or a NIC interface is removed to remove the anti-spoofing rules.
-
hooks/alias_ip/vnfilter.rb - The script is registered as a Host hook and is executed on the hosts. It is covering the handling of hotplug add and remove of Alias IPs (both IPv4 and IPv6)
The ARP filtering is implemented using ebtables, the rules are following the ARP spoofing filters implemented in libvirt.
Once enabled it is enough to live-migrate a VM for the new rules to be applied on the VM interfaces on the host.
There is a lot of room for improvements and not all use cases tested so pull requests are highly appreciated.
The scripts logs all issued commands to syslog so it is good to take a look there beside looking at the iptables, ebtables(nat table) and ipset rules.
The uninstall procedure is in two steps as follow:
- Step 1
- delete the vnfilter hook with
onehook delete $VNFILTER_HOOK_ID
- delete the post.d files on the frontend(s)
rm /var/lib/one/remotes/vnm/*/post.d/vnfilter*
- delete the post.d files on the hosts
rm /var/tmp/one/vnm/*/post.d/vnfilter*
- migrate (live) the VMs between the hosts
- delete the vnfilter hook with
- Step 2
- delete the clean.d files on the frontend(s)
rm /var/lib/one/remotes/vnm/*/clean.d/vnfilter*
and on the hostsrm /var/tmp/one/vnm/*/clean.d/vnfilter*
- delete the clean.d files on the hosts
rm /var/tmp/one/vnm/*/clean.d/vnfilter*
- delete the rest of the vnfilter files on the frontend(s)
rm /var/lib/one/remotes/vnm/vnfilter* /var/lib/one/remotes/hooks/alias_ip/vnfilter*
- delete the rest of the vnfilter files on the hosts
rm /var/tmp/one/vnm/vnfilter* /var/tmp/one/hooks/alias_ip/vnfilter* /etc/sudoers.d/vnfilter
- delete the clean.d files on the frontend(s)