Addon-vnfilter to complete the spoofing filters

Hello Community.

The addon is currently hosted here: https://github.com/storpool/addon-vnfilter

I believe that this addon that uses the reworked infrastructure in OpenNebula 5.10 is covering at least the following issues:

• MAC spoofing rule does not filter ARP traffic
• VN_MAD=fw IP spoofing block NIC Aliasses

To cover some cases it is patching the iptables chains generated by OpenNebula using hard-coded offsets so it is suitable/tested for OpenNebula 5.10.0 and 5.10.1. If there are changes in the iptables rules in the future the offsets could be fixed. I hope that the spoofing filters will be fixed upstream and will try to keep the code working until this time.

Best Regards,
Anton Todorov

Hello Anton

Thank you, I am starting looking into it and will try to fix the spoofing filters in the upstream.

Kind regards
Jan

Hello @jorel,

I am working on extending it to handle https://github.com/OpenNebula/one/issues/3079 but haven’t enough time to work on it. The refactoring is to define the mac filtering in an ebtables sub-chain with default policy drop that allow all MACs(IP and “alias” ones). The VNM filter should be extended too. I think the entire MAC spoofing filters should be redesigned because they could be handled entirely with ebtables. Currently they are implemented in the ONE iptables rules and only the ARP spoofing is implemented with ebtables…

Cheers,
Anton

Hello guys, please keep in mind change in packing filtering in RHEL8

There are still iptables and ebtables commands available, but iptables-ebtables is not 100% compatible with ebtables.