From 24894e2354daf9c812a85a6801f7b3980e0af992 Mon Sep 17 00:00:00 2001 From: Chiradeep Vittal Date: Thu, 29 Dec 2011 17:35:12 -0800 Subject: [PATCH] bug 11302: dont allow stuff like BPDUS, don't allow vms to connect to hypervisor --- scripts/vm/hypervisor/xenserver/vmops | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops index 8e369151c0e..35632923c3d 100755 --- a/scripts/vm/hypervisor/xenserver/vmops +++ b/scripts/vm/hypervisor/xenserver/vmops @@ -390,7 +390,6 @@ def can_bridge_firewall(session, args): util.pread2(['iptables', '-D', 'FORWARD', '-j', 'RH-Firewall-1-INPUT']) except: util.SMlog('Chain BRIDGE-FIREWALL already exists') - default_ebtables_rules() privnic = get_private_nic(session, args) result = 'true' try: @@ -401,7 +400,8 @@ def can_bridge_firewall(session, args): util.pread2(['iptables', '-A', 'FORWARD', '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', privnic, '-j', 'ACCEPT']) util.pread2(['iptables', '-A', 'FORWARD', '-j', 'DROP']) except: - result = 'false' + return 'false' + default_ebtables_rules() allow_egress_traffic(session) if not os.path.exists('/var/run/cloud'): os.makedirs('/var/run/cloud') @@ -433,9 +433,20 @@ def default_ebtables_rules(): util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES', '-p', 'IPv6', '-j', 'DROP']) # deny vlan util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES', '-p', '802_1Q', '-j', 'DROP']) + # deny all others (e.g., 802.1d, CDP) + util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES', '-j', 'DROP']) except: util.SMlog('Chain DEFAULT_EBTABLES already exists') + #deny traffic from vms into hypervisor. Note: does not protect from vms in other pods + try: + util.pread2(['ebtables', '-D', 'INPUT', '-s', '6:0:0:0:0:0/ff:0:0:0:0:0', '-j', 'DROP']) + except: + pass + + util.pread2(['ebtables', '-A', 'INPUT', '-s', '6:0:0:0:0:0/ff:0:0:0:0:0', '-j', 'DROP']) + + @echo def allow_egress_traffic(session): devs = []