From e3a7137ac29dbb06a5ccbaf7b51c96ab9de745a6 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@us.ibm.com>
Date: Thu, 25 Mar 2010 13:46:13 -0400
Subject: [PATCH] Add some examples filters

This patch adds some example filters to libvirt. They are automatically
installed into the proper directory for libvirt to pick them up.
---
 Makefile.am                                   |  3 +-
 configure.ac                                  |  3 +-
 examples/xml/nwfilter/Makefile.am             | 30 +++++++++++++++++++
 examples/xml/nwfilter/allow-arp.xml           |  3 ++
 examples/xml/nwfilter/allow-dhcp-server.xml   | 24 +++++++++++++++
 examples/xml/nwfilter/allow-dhcp.xml          | 21 +++++++++++++
 examples/xml/nwfilter/allow-incoming-ipv4.xml |  3 ++
 examples/xml/nwfilter/allow-ipv4.xml          |  3 ++
 examples/xml/nwfilter/clean-traffic.xml       | 17 +++++++++++
 examples/xml/nwfilter/no-arp-spoofing.xml     | 29 ++++++++++++++++++
 examples/xml/nwfilter/no-ip-multicast.xml     |  9 ++++++
 examples/xml/nwfilter/no-ip-spoofing.xml      |  7 +++++
 examples/xml/nwfilter/no-mac-broadcast.xml    |  8 +++++
 examples/xml/nwfilter/no-mac-spoofing.xml     |  5 ++++
 examples/xml/nwfilter/no-other-l2-traffic.xml |  7 +++++
 15 files changed, 170 insertions(+), 2 deletions(-)
 create mode 100644 examples/xml/nwfilter/Makefile.am
 create mode 100644 examples/xml/nwfilter/allow-arp.xml
 create mode 100644 examples/xml/nwfilter/allow-dhcp-server.xml
 create mode 100644 examples/xml/nwfilter/allow-dhcp.xml
 create mode 100644 examples/xml/nwfilter/allow-incoming-ipv4.xml
 create mode 100644 examples/xml/nwfilter/allow-ipv4.xml
 create mode 100644 examples/xml/nwfilter/clean-traffic.xml
 create mode 100644 examples/xml/nwfilter/no-arp-spoofing.xml
 create mode 100644 examples/xml/nwfilter/no-ip-multicast.xml
 create mode 100644 examples/xml/nwfilter/no-ip-spoofing.xml
 create mode 100644 examples/xml/nwfilter/no-mac-broadcast.xml
 create mode 100644 examples/xml/nwfilter/no-mac-spoofing.xml
 create mode 100644 examples/xml/nwfilter/no-other-l2-traffic.xml

diff --git a/Makefile.am b/Makefile.am
index 09439c8346..dd334b5db8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,8 @@ GENHTML = genhtml
 
 SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
   python tests po examples/domain-events/events-c examples/hellolibvirt \
-  examples/dominfo examples/domsuspend examples/python examples/apparmor
+  examples/dominfo examples/domsuspend examples/python examples/apparmor \
+  examples/xml/nwfilter
 
 ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4
 
diff --git a/configure.ac b/configure.ac
index 0c2c0bedb7..94223dd56a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1987,7 +1987,8 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
           examples/domsuspend/Makefile \
           examples/dominfo/Makefile \
           examples/python/Makefile \
-          examples/hellolibvirt/Makefile)
+          examples/hellolibvirt/Makefile \
+          examples/xml/nwfilter/Makefile)
 
 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Configuration summary])
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
new file mode 100644
index 0000000000..dcf6ce42dd
--- /dev/null
+++ b/examples/xml/nwfilter/Makefile.am
@@ -0,0 +1,30 @@
+
+FILTERS = \
+	allow-arp.xml \
+	allow-dhcp-server.xml \
+	allow-dhcp.xml \
+	allow-incoming-ipv4.xml \
+	allow-ipv4.xml \
+	clean-traffic.xml \
+	no-arp-spoofing.xml \
+	no-ip-multicast.xml \
+	no-ip-spoofing.xml \
+	no-mac-broadcast.xml \
+	no-mac-spoofing.xml \
+	no-other-l2-traffic.xml
+
+confdir = $(sysconfdir)/libvirt
+
+NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
+
+install-data-local:
+	$(MKDIR_P) "$(NWFILTER_DIR)"
+	for f in $(FILTERS); do \
+		$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
+	done
+
+uninstall-local::
+	for f in $(FILTERS); do \
+		rm -f "$(NWFILTER_DIR)/$$f"; \
+	done
+	-test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR)
diff --git a/examples/xml/nwfilter/allow-arp.xml b/examples/xml/nwfilter/allow-arp.xml
new file mode 100644
index 0000000000..63a92b25b4
--- /dev/null
+++ b/examples/xml/nwfilter/allow-arp.xml
@@ -0,0 +1,3 @@
+<filter name='allow-arp' chain='arp'>
+  <rule direction='inout' action='accept'/>
+</filter>
diff --git a/examples/xml/nwfilter/allow-dhcp-server.xml b/examples/xml/nwfilter/allow-dhcp-server.xml
new file mode 100644
index 0000000000..37e708ed4b
--- /dev/null
+++ b/examples/xml/nwfilter/allow-dhcp-server.xml
@@ -0,0 +1,24 @@
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from a specific DHCP server
+         parameter DHPCSERVER needs to be passed from where this filter is
+         referenced -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip srcipaddr='$DHCPSERVER'
+            protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
diff --git a/examples/xml/nwfilter/allow-dhcp.xml b/examples/xml/nwfilter/allow-dhcp.xml
new file mode 100644
index 0000000000..d66d2b6668
--- /dev/null
+++ b/examples/xml/nwfilter/allow-dhcp.xml
@@ -0,0 +1,21 @@
+<filter name='allow-dhcp' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- not, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from any DHCP server -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
diff --git a/examples/xml/nwfilter/allow-incoming-ipv4.xml b/examples/xml/nwfilter/allow-incoming-ipv4.xml
new file mode 100644
index 0000000000..dd1e50d02e
--- /dev/null
+++ b/examples/xml/nwfilter/allow-incoming-ipv4.xml
@@ -0,0 +1,3 @@
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+  <rule direction='in' action='accept'/>
+</filter>
diff --git a/examples/xml/nwfilter/allow-ipv4.xml b/examples/xml/nwfilter/allow-ipv4.xml
new file mode 100644
index 0000000000..28e930a7c8
--- /dev/null
+++ b/examples/xml/nwfilter/allow-ipv4.xml
@@ -0,0 +1,3 @@
+<filter name='allow-ipv4' chain='ipv4'>
+  <rule direction='inout' action='accept'/>
+</filter>
diff --git a/examples/xml/nwfilter/clean-traffic.xml b/examples/xml/nwfilter/clean-traffic.xml
new file mode 100644
index 0000000000..2cc7df983e
--- /dev/null
+++ b/examples/xml/nwfilter/clean-traffic.xml
@@ -0,0 +1,17 @@
+<filter name='clean-traffic'>
+   <!-- An example of a traffic filter enforcing clean traffic
+        from a VM by
+      - preventing MAC spoofing -->
+   <filterref filter='no-mac-spoofing'/>
+
+   <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+   <filterref filter='no-ip-spoofing'/>
+   <filterref filter='allow-incoming-ipv4'/>
+
+   <!-- preventing ARP spoofing/poisoning -->
+   <filterref filter='no-arp-spoofing'/>
+
+   <!-- preventing any other traffic than IPv4 and ARP -->
+   <filterref filter='no-other-l2-traffic'/>
+
+</filter>
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
new file mode 100644
index 0000000000..b49e781be4
--- /dev/null
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -0,0 +1,29 @@
+<filter name='no-arp-spoofing' chain='arp'>
+   <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
+
+   <!-- no arp spoofing -->
+   <!-- drop if ipaddr or macaddr does not belong to guest -->
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcmacaddr='$MAC'/>
+   </rule>
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcipaddr='$IP' />
+   </rule>
+   <!-- drop if ipaddr or macaddr odes not belong to guest -->
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstmacaddr='$MAC'/>
+       <arp opcode='reply'/>
+   </rule>
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstipaddr='$IP' />
+   </rule>
+   <!-- accept only request or reply packets -->
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='request'/>
+   </rule>
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='reply'/>
+   </rule>
+   <!-- drop everything else -->
+   <rule action='drop' direction='inout' priority='1000' />
+</filter>
diff --git a/examples/xml/nwfilter/no-ip-multicast.xml b/examples/xml/nwfilter/no-ip-multicast.xml
new file mode 100644
index 0000000000..edcf03f657
--- /dev/null
+++ b/examples/xml/nwfilter/no-ip-multicast.xml
@@ -0,0 +1,9 @@
+<filter name='no-ip-multicast' chain='ipv4'>
+
+    <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+    <rule action='drop' direction='out'>
+        <ip dstipaddr='224.0.0.0' dstipmask='4' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
new file mode 100644
index 0000000000..b8c94c82e4
--- /dev/null
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -0,0 +1,7 @@
+<filter name='no-ip-spoofing' chain='ipv4'>
+
+    <!-- drop if srcipaddr is not the IP address of the guest -->
+    <rule action='drop' direction='out'>
+        <ip match='no' srcipaddr='$IP' />
+    </rule>
+</filter>
diff --git a/examples/xml/nwfilter/no-mac-broadcast.xml b/examples/xml/nwfilter/no-mac-broadcast.xml
new file mode 100644
index 0000000000..74e65bf726
--- /dev/null
+++ b/examples/xml/nwfilter/no-mac-broadcast.xml
@@ -0,0 +1,8 @@
+<filter name='no-mac-broadcast' chain='ipv4'>
+    <!-- drop if destination mac is bcast mac addr. -->
+    <rule action='drop' direction='out'>
+        <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
new file mode 100644
index 0000000000..f210623271
--- /dev/null
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -0,0 +1,5 @@
+<filter name='no-mac-spoofing' chain='ipv4'>
+  <rule action='drop' direction='out' priority='10'>
+      <mac match='no' srcmacaddr='$MAC' />
+  </rule>
+</filter>
diff --git a/examples/xml/nwfilter/no-other-l2-traffic.xml b/examples/xml/nwfilter/no-other-l2-traffic.xml
new file mode 100644
index 0000000000..8bad86ef52
--- /dev/null
+++ b/examples/xml/nwfilter/no-other-l2-traffic.xml
@@ -0,0 +1,7 @@
+<filter name='no-other-l2-traffic'>
+
+    <!-- drop all other l2 traffic than for which rules have been
+         written for; i.e., drop all other than arp and ipv4 traffic -->
+    <rule action='drop' direction='inout' priority='1000'/>
+
+</filter>
-- 
GitLab