Add some examples filters

This patch adds some example filters to libvirt. They are automatically installed into the proper directory for libvirt to pick them up.

Add some examples filters
This patch adds some example filters to libvirt. They are automatically installed into the proper directory for libvirt to pick them up.
e3a7137a · Stefan Berger · Daniel P. Berrange · 1130085c · e3a7137a · e3a7137a
15 changed file
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,8 @@ GENHTML = genhtml

 SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
  python tests po examples/domain-events/events-c examples/hellolibvirt \
-  examples/dominfo examples/domsuspend examples/python examples/apparmor
+  examples/dominfo examples/domsuspend examples/python examples/apparmor \
+  examples/xml/nwfilter

 ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4


--- a/configure.ac
+++ b/configure.ac
@@ -1987,7 +1987,8 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
          examples/domsuspend/Makefile \
          examples/dominfo/Makefile \
          examples/python/Makefile \
-          examples/hellolibvirt/Makefile)
+          examples/hellolibvirt/Makefile \
+          examples/xml/nwfilter/Makefile)

 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Configuration summary])

--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
+
+FILTERS = \
+	allow-arp.xml \
+	allow-dhcp-server.xml \
+	allow-dhcp.xml \
+	allow-incoming-ipv4.xml \
+	allow-ipv4.xml \
+	clean-traffic.xml \
+	no-arp-spoofing.xml \
+	no-ip-multicast.xml \
+	no-ip-spoofing.xml \
+	no-mac-broadcast.xml \
+	no-mac-spoofing.xml \
+	no-other-l2-traffic.xml
+
+confdir = $(sysconfdir)/libvirt
+
+NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
+
+install-data-local:
+	$(MKDIR_P) "$(NWFILTER_DIR)"
+	for f in $(FILTERS); do \
+		$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
+	done
+
+uninstall-local::
+	for f in $(FILTERS); do \
+		rm -f "$(NWFILTER_DIR)/$$f"; \
+	done
+	-test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR)
--- a/examples/xml/nwfilter/allow-arp.xml
+++ b/examples/xml/nwfilter/allow-arp.xml
+<filter name='allow-arp' chain='arp'>
+  <rule direction='inout' action='accept'/>
+</filter>
--- a/examples/xml/nwfilter/allow-dhcp-server.xml
+++ b/examples/xml/nwfilter/allow-dhcp-server.xml
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from a specific DHCP server
+         parameter DHPCSERVER needs to be passed from where this filter is
+         referenced -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip srcipaddr='$DHCPSERVER'
+            protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
--- a/examples/xml/nwfilter/allow-dhcp.xml
+++ b/examples/xml/nwfilter/allow-dhcp.xml
+<filter name='allow-dhcp' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- not, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from any DHCP server -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
--- a/examples/xml/nwfilter/allow-incoming-ipv4.xml
+++ b/examples/xml/nwfilter/allow-incoming-ipv4.xml
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+  <rule direction='in' action='accept'/>
+</filter>
--- a/examples/xml/nwfilter/allow-ipv4.xml
+++ b/examples/xml/nwfilter/allow-ipv4.xml
+<filter name='allow-ipv4' chain='ipv4'>
+  <rule direction='inout' action='accept'/>
+</filter>
--- a/examples/xml/nwfilter/clean-traffic.xml
+++ b/examples/xml/nwfilter/clean-traffic.xml
+<filter name='clean-traffic'>
+   <!-- An example of a traffic filter enforcing clean traffic
+        from a VM by
+      - preventing MAC spoofing -->
+   <filterref filter='no-mac-spoofing'/>
+
+   <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+   <filterref filter='no-ip-spoofing'/>
+   <filterref filter='allow-incoming-ipv4'/>
+
+   <!-- preventing ARP spoofing/poisoning -->
+   <filterref filter='no-arp-spoofing'/>
+
+   <!-- preventing any other traffic than IPv4 and ARP -->
+   <filterref filter='no-other-l2-traffic'/>
+
+</filter>
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
+<filter name='no-arp-spoofing' chain='arp'>
+   <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
+
+   <!-- no arp spoofing -->
+   <!-- drop if ipaddr or macaddr does not belong to guest -->
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcmacaddr='$MAC'/>
+   </rule>
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcipaddr='$IP' />
+   </rule>
+   <!-- drop if ipaddr or macaddr odes not belong to guest -->
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstmacaddr='$MAC'/>
+       <arp opcode='reply'/>
+   </rule>
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstipaddr='$IP' />
+   </rule>
+   <!-- accept only request or reply packets -->
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='request'/>
+   </rule>
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='reply'/>
+   </rule>
+   <!-- drop everything else -->
+   <rule action='drop' direction='inout' priority='1000' />
+</filter>
--- a/examples/xml/nwfilter/no-ip-multicast.xml
+++ b/examples/xml/nwfilter/no-ip-multicast.xml
+<filter name='no-ip-multicast' chain='ipv4'>
+
+    <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+    <rule action='drop' direction='out'>
+        <ip dstipaddr='224.0.0.0' dstipmask='4' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
+<filter name='no-ip-spoofing' chain='ipv4'>
+
+    <!-- drop if srcipaddr is not the IP address of the guest -->
+    <rule action='drop' direction='out'>
+        <ip match='no' srcipaddr='$IP' />
+    </rule>
+</filter>
--- a/examples/xml/nwfilter/no-mac-broadcast.xml
+++ b/examples/xml/nwfilter/no-mac-broadcast.xml
+<filter name='no-mac-broadcast' chain='ipv4'>
+    <!-- drop if destination mac is bcast mac addr. -->
+    <rule action='drop' direction='out'>
+        <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
+<filter name='no-mac-spoofing' chain='ipv4'>
+  <rule action='drop' direction='out' priority='10'>
+      <mac match='no' srcmacaddr='$MAC' />
+  </rule>
+</filter>
--- a/examples/xml/nwfilter/no-other-l2-traffic.xml
+++ b/examples/xml/nwfilter/no-other-l2-traffic.xml
+<filter name='no-other-l2-traffic'>
+
+    <!-- drop all other l2 traffic than for which rules have been
+         written for; i.e., drop all other than arp and ipv4 traffic -->
+    <rule action='drop' direction='inout' priority='1000'/>
+
+</filter>