IP Aliases - IP spoofing protection stops them working (802.1Q)

Hi,

IP aliases in networks with IP Spoofing Protection enabled don’t work reliably, 99% of the time they don’t work, then for some inexplicable reason a migration or addition/deletion of ip alias causes them to work.

Quite similar to this issue: IP spoofing not working, hijacking possible except this is a 802.1Q

We’ve tracked this down to the IP spoofing as we could see ICMP echo + reply in the VM, we could see echo + reply on the bridge, but we only saw the echo on the physical NIC VLAN.

If I manually add the alias IPs to the ipset:

ipset add one-28-0-ip-spoofing 172.16.8.197

Then the IP alias will function.

There’s nothing else writing rules in to iptables either and ebtables is empty.

Any help is greatly appreciated as this was working and somehow has managed to stop

Version: 6.0.0
HV OS: CentOS7

VM OS: CentOS7 Marketplace Template (Ubuntu Marketplace is the same, as is Windows)

VM NIC Config

NIC = [
  ALIAS_IDS = "1",
  AR_ID = "0",
  BRIDGE = "Shared",
  BRIDGE_TYPE = "linux",
  CLUSTER_ID = "0",
  FILTER_IP_SPOOFING = "YES",
  FILTER_MAC_SPOOFING = "YES",
  GATEWAY = "172.16.8.193",
  IP = "172.16.8.196",
  MAC = "02:00:55:76:ff:c4",
  NAME = "NIC0",
  NETWORK = "Shared (Nebula01)",
  NETWORK_ID = "0",
  NIC_ID = "0",
  PHYDEV = "Public",
  SECURITY_GROUPS = "0",
  TARGET = "one-28-0",
  VLAN_ID = "505",
  VN_MAD = "802.1Q" ]
NIC_ALIAS = [
  ALIAS_ID = "0",
  AR_ID = "0",
  BRIDGE = "Shared",
  BRIDGE_TYPE = "linux",
  CLUSTER_ID = "0",
  FILTER_IP_SPOOFING = "YES",
  FILTER_MAC_SPOOFING = "YES",
  GATEWAY = "172.16.8.193",
  IP = "172.16.8.197",
  MAC = "02:00:55:76:ff:c5",
  NAME = "NIC0_ALIAS1",
  NETWORK = "Shared (Nebula01)",
  NETWORK_ID = "0",
  NETWORK_UNAME = "oneadmin",
  NIC_ID = "1",
  PARENT = "NIC0",
  PARENT_ID = "0",
  PHYDEV = "Public",
  SECURITY_GROUPS = "0",
  TARGET = "one-28-1",
  VLAN_ID = "505",
  VN_MAD = "802.1Q" ]

onevnet show 0 -x

<VNET>
  <ID>0</ID>
  <UID>0</UID>
  <GID>0</GID>
  <UNAME>oneadmin</UNAME>
  <GNAME>oneadmin</GNAME>
  <NAME>Shared (Nebula01)</NAME>
  <PERMISSIONS>
    <OWNER_U>1</OWNER_U>
    <OWNER_M>1</OWNER_M>
    <OWNER_A>0</OWNER_A>
    <GROUP_U>0</GROUP_U>
    <GROUP_M>0</GROUP_M>
    <GROUP_A>0</GROUP_A>
    <OTHER_U>0</OTHER_U>
    <OTHER_M>0</OTHER_M>
    <OTHER_A>0</OTHER_A>
  </PERMISSIONS>
  <CLUSTERS>
    <ID>0</ID>
  </CLUSTERS>
  <BRIDGE><![CDATA[Shared]]></BRIDGE>
  <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>
  <PARENT_NETWORK_ID/>
  <VN_MAD><![CDATA[802.1Q]]></VN_MAD>
  <PHYDEV><![CDATA[Public]]></PHYDEV>
  <VLAN_ID><![CDATA[505]]></VLAN_ID>
  <OUTER_VLAN_ID/>
  <VLAN_ID_AUTOMATIC>0</VLAN_ID_AUTOMATIC>
  <OUTER_VLAN_ID_AUTOMATIC>0</OUTER_VLAN_ID_AUTOMATIC>
  <USED_LEASES>6</USED_LEASES>
  <VROUTERS/>
  <TEMPLATE>
    <BRIDGE><![CDATA[Shared]]></BRIDGE>
    <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>
    <DNS><![CDATA[8.8.8.8 8.8.4.4]]></DNS>
    <FILTER_IP_SPOOFING><![CDATA[YES]]></FILTER_IP_SPOOFING>
    <FILTER_MAC_SPOOFING><![CDATA[YES]]></FILTER_MAC_SPOOFING>
    <GATEWAY><![CDATA[172.16.8.193]]></GATEWAY>
    <NETWORK_ADDRESS><![CDATA[172.16.8.192]]></NETWORK_ADDRESS>
    <NETWORK_MASK><![CDATA[255.255.255.224]]></NETWORK_MASK>
    <OUTER_VLAN_ID><![CDATA[]]></OUTER_VLAN_ID>
    <PHYDEV><![CDATA[Public]]></PHYDEV>
    <SECURITY_GROUPS><![CDATA[0]]></SECURITY_GROUPS>
    <VLAN_ID><![CDATA[505]]></VLAN_ID>
    <VN_MAD><![CDATA[802.1Q]]></VN_MAD>
  </TEMPLATE>
  <AR_POOL>
    <AR>
      <AR_ID><![CDATA[0]]></AR_ID>
      <IP><![CDATA[172.16.8.194]]></IP>
      <MAC><![CDATA[02:00:55:76:ff:c2]]></MAC>
      <SIZE><![CDATA[30]]></SIZE>
      <TYPE><![CDATA[IP4]]></TYPE>
      <MAC_END><![CDATA[02:00:55:76:ff:df]]></MAC_END>
      <IP_END><![CDATA[172.16.8.223]]></IP_END>
      <USED_LEASES>2</USED_LEASES>
      <LEASES>
        <LEASE>
          <IP><![CDATA[172.16.8.196]]></IP>
          <MAC><![CDATA[02:00:55:76:ff:c4]]></MAC>
          <VM><![CDATA[28]]></VM>
        </LEASE>
        <LEASE>
          <IP><![CDATA[172.16.8.197]]></IP>
          <MAC><![CDATA[02:00:55:76:ff:c5]]></MAC>
          <VM><![CDATA[28]]></VM>
        </LEASE>
      </LEASES>
    </AR>
  </AR_POOL>
</VNET>

iptables-save

-A one-28-0-i -m state --state RELATED,ESTABLISHED -j RETURN
-A one-28-0-i -j RETURN
-A one-28-0-i -j DROP
-A one-28-0-o -m mac ! --mac-source 02:00:55:76:FF:C4 -j DROP
-A one-28-0-o -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A one-28-0-o -m set ! --match-set one-28-0-ip-spoofing src -j DROP
-A one-28-0-o -m state --state RELATED,ESTABLISHED -j RETURN
-A one-28-0-o -j RETURN
-A one-28-0-o -j DROP
-A opennebula -m physdev --physdev-in one-28-0 --physdev-is-bridged -j one-28-0-o
-A opennebula -m physdev --physdev-out one-28-0 --physdev-is-bridged -j one-28-0-i

ipset list

Name: one-28-0-ip-spoofing
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 168
References: 1
Number of entries: 1
Members:
172.16.8.196

There are known issues with the IP spoofing filters not fixed for a long time.
I’ve proposed a fix, refactored it when requested. But it was not accepted…

So I’ve refactored the fixes as an external module addon-vnfilter which is working flawlessly on several installations.

You could give it a try.

Hope this helps.

Hi, Mr. Anton thank you very much for the information, I got some issue about IP Spoofing Filter this very helpfully

Hi @ghostmansg, @atodorov_storpool ,

We’ll merge the changes necessary to perform IP spoofing on NIC aliases for next release.

Cheers.

Thanks Anton, I did wonder if it was related but I could only see it mentioned for TN_MAD=fw. Will take a look at the module. Top work as always from Storpool

All sorted with the vnfilter addon and a tiny patch from Anton.

@rdiaz, @ahuertas

The proposed fix for the discovered bug in OpenNebula 6.*.1.

And it is confirmed that addon-vnfilter works with ONE 6.*.1 too.

Cheers!

Hi,

The changes to fix this issue have been merged into master.

Cheers.