[pve-devel] [PATCH] add ipfilter protection (ip anti-spoofing)

[Alexandre Derumier]

ipfilter:1|0

this drop packets if guest ip address is different than ipaddress defined in vm config)

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e8c05eb..eedec74 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1624,11 +1624,13 @@ sub ruleset_chain_add_input_filters {
 }
 
 sub ruleset_create_vm_chain {
-    my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
+    my ($ruleset, $chain, $options, $macaddr, $direction, $ipfilterchain) = @_;
 
     ruleset_create_chain($ruleset, $chain);
     my $accept = generate_nfqueue($options);
 
+    ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilterchain src -j DROP") if (!(defined($options->{ipfilter}) && $options->{ipfilter} == 0)) && $ipfilterchain;
+
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
 	if ($direction eq 'OUT') {
 	    ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK',
@@ -1774,7 +1776,7 @@ sub generate_venet_rules_direction {
 }
 
 sub generate_tap_rules_direction {
-    my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_;
+    my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction, $ipfilterchain) = @_;
 
     my $lc_direction = lc($direction);
 
@@ -1785,7 +1787,7 @@ sub generate_tap_rules_direction {
 
     my $tapchain = "$iface-$direction";
 
-    ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+    ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction, $ipfilterchain);
 
     ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
 
@@ -2052,7 +2054,7 @@ sub parse_vmfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ m/^(enable|dhcp|macfilter|ips):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|dhcp|macfilter|ipfilter|ips):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
@@ -2849,12 +2851,31 @@ sub compile {
 		my $net = PVE::QemuServer::parse_net($conf->{$netid});
 		next if !$net->{firewall};
 		my $iface = "tap${vmid}i$1";
-
+	
 		my $macaddr = $net->{macaddr};
+		
+		my $ipfilterchain = undef;
+		my $ipaddress = $net->{ipaddress};
+		if($ipaddress){
+		    parse_address_list($ipaddress); 
+		    my @ips = split(',', $ipaddress);
+		    my $tapipset = {};
+		    $tapipset->{vmid} = $vmid;
+		    foreach my $singleip (@ips) {
+			my $ipset = {};
+			$ipset->{cidr} = $singleip;
+			push @{$tapipset->{ipset}->{$iface}}, $ipset;
+
+		    }
+		    generate_ipset_chains($ipset_ruleset, undef, $tapipset);
+		    $ipfilterchain = compute_ipset_chain_name($vmid, $iface);
+
+                }
+
 		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'IN');
+					     $vmfw_conf, $vmid, 'IN', $ipfilterchain);
 		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'OUT');
+					     $vmfw_conf, $vmid, 'OUT', $ipfilterchain);
 	    }
 	};
 	warn $@ if $@; # just to be sure - should not happen
-- 
1.7.10.4