initial commit of xenserver host protections

author: Antony Messerli <amesserl@rackspace.com> 2010-12-20 10:56:10 -0600
committer: Antony Messerli <amesserl@rackspace.com> 2010-12-20 10:56:10 -0600
commit: 2462eab6f02105b15f4686a6183eb043d7b1a5e3 (patch)
tree: e70432124d945e4fbcd45ec2d7f27d175e240837 /plugins
parent: 800ecbd713c55d7410d6eb860a439cb87468e7ad (diff)
3 files changed, 177 insertions, 0 deletions
diff --git a/plugins/xenserver/networking/etc/init.d/host-rules b/plugins/xenserver/networking/etc/init.d/host-rules
new file mode 100755
index 000000000..980396bae
--- /dev/null
+++ b/plugins/xenserver/networking/etc/init.d/host-rules
@@ -0,0 +1,83 @@
+#!/bin/bash
+#
+# host-rules          Start/Stop the networking host rules
+#
+# chkconfig: 2345 85 15
+# description: Networking Host Rules for Multi Tenancy Protections
+
+iptables-up()
+{
+        iptables -P FORWARD DROP
+        iptables -A FORWARD -m physdev --physdev-in eth0 -j ACCEPT
+        iptables -A FORWARD -m physdev --physdev-in eth1 -j ACCEPT
+}
+
+ebtables-up()
+{
+        ebtables -P FORWARD DROP
+        ebtables -A FORWARD -o eth0 -j ACCEPT
+        ebtables -A FORWARD -o eth1 -j ACCEPT
+}
+
+arptables-up()
+{
+        arptables -P FORWARD DROP
+        arptables -A FORWARD --opcode Request --in-interface eth0 -j ACCEPT
+        arptables -A FORWARD --opcode Reply --in-interface eth0 -j ACCEPT
+        arptables -A FORWARD --opcode Request --in-interface eth1 -j ACCEPT
+        arptables -A FORWARD --opcode Reply --in-interface eth1 -j ACCEPT
+}
+
+iptables-down()
+{
+        iptables -P FORWARD ACCEPT
+        iptables -D FORWARD -m physdev --physdev-in eth0 -j ACCEPT
+        iptables -D FORWARD -m physdev --physdev-in eth1 -j ACCEPT
+}
+
+ebtables-down()
+{
+        ebtables -P FORWARD ACCEPT
+        ebtables -D FORWARD -o eth0 -j ACCEPT
+        ebtables -D FORWARD -o eth1 -j ACCEPT
+}
+
+arptables-down()
+{
+        arptables -P FORWARD ACCEPT
+        arptables -D FORWARD --opcode Request --in-interface eth0 -j ACCEPT
+        arptables -D FORWARD --opcode Reply --in-interface eth0 -j ACCEPT
+        arptables -D FORWARD --opcode Request --in-interface eth1 -j ACCEPT
+        arptables -D FORWARD --opcode Reply --in-interface eth1 -j ACCEPT
+}
+
+start()
+{
+        iptables-up
+        ebtables-up
+        arptables-up
+}
+
+stop()
+{
+        iptables-down
+        ebtables-down
+        arptables-down
+}
+
+case "$1" in
+        start)
+                start
+                ;;
+        stop)
+                stop
+                ;;
+        restart)
+                stop
+                start
+                ;;
+        *)
+                echo $"Usage: $0 {start|stop|restart}"
+                exit 1
+esac
+exit 0
diff --git a/plugins/xenserver/networking/etc/xensource/scripts/vif_5.6-fp1.patch b/plugins/xenserver/networking/etc/xensource/scripts/vif_5.6-fp1.patch
new file mode 100644
index 000000000..142096ff1
--- /dev/null
+++ b/plugins/xenserver/networking/etc/xensource/scripts/vif_5.6-fp1.patch
@@ -0,0 +1,22 @@
+--- vif     2010-12-20 16:39:46.000000000 +0000
++++ vif_modified 2010-11-19 23:24:37.000000000 +0000
+@@ -213,6 +213,7 @@
+ 
+         # xs-xen.pq.hq:91e986b8e49f netback-wait-for-hotplug
+         xenstore-write "/local/domain/0/backend/vif/${DOMID}/${DEVID}/hotplug-status" "connected"
++       python /etc/xensource/scripts/vif_rules.py ${DOMID} online 2>&1 >> /dev/null
+     fi
+     ;;
+ 
+@@ -224,9 +225,11 @@
+ 
+ remove)
+     if [ "${TYPE}" = "vif" ] ;then
++       python /etc/xensource/scripts/vif_rules.py ${DOMID} offline 2>&1 >> /dev/null
+         xenstore-rm "${HOTPLUG}/hotplug"
+     fi
+     logger -t scripts-vif "${dev} has been removed"
+     remove_from_bridge
+     ;;
+ esac
++
diff --git a/plugins/xenserver/networking/etc/xensource/scripts/vif_rules.py b/plugins/xenserver/networking/etc/xensource/scripts/vif_rules.py
new file mode 100755
index 000000000..05141630b
--- /dev/null
+++ b/plugins/xenserver/networking/etc/xensource/scripts/vif_rules.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python
+from os import system, popen4
+import sys
+import simplejson as json
+from itertools import chain
+
+# order is important, mmmkay? 1 is domid, 2  command, 3 is vif
+# when we add rules, we delete first, to make sure we only keep the one rule we need
+
+def main():
+  fin,fout = popen4("/usr/bin/xenstore-ls /local/domain/%s/vm-data/networking" % sys.argv[1] )
+  macs = fout.read().split("\n")[0:-1]
+
+  for mac in macs:
+    m = mac.split("=")[0].strip()
+    fin,fout = popen4("/usr/bin/xenstore-read /local/domain/%s/vm-data/networking/%s" % (sys.argv[1],m))
+    mjson = json.loads(fout.read())
+    for ip in mjson['ips']:
+      if mjson["label"] == "public":
+        label = 0
+      else:
+        label = 1
+
+      VIF = "vif%s.%s" % (sys.argv[1],label)
+        
+      if (len(sys.argv) == 4 and sys.argv[3] == VIF) or (len(sys.argv) == 3):
+        run_rules(
+          IP = ip['ip'], 
+          VIF = VIF, 
+          MAC = mjson['mac'], 
+          STATUS = (sys.argv[2] == 'online') and '-A' or '-D' 
+        )
+
+def run_rules(**kwargs):
+  map(system, chain(ebtables(**kwargs), arptables(**kwargs), iptables(**kwargs) ))
+
+def iptables(**kwargs):
+  return [
+    "/sbin/iptables -D FORWARD -m physdev --physdev-in %s -s %s -j ACCEPT 2>&1 > /dev/null" % ( kwargs['VIF'], kwargs['IP']),
+    "/sbin/iptables %s FORWARD -m physdev --physdev-in %s -s %s -j ACCEPT" % (kwargs['STATUS'], kwargs['VIF'], kwargs['IP'])
+  ]
+  
+def arptables(**kwargs):
+  return [
+    "/sbin/arptables -D FORWARD --opcode Request --in-interface %s --source-ip %s --source-mac %s -j ACCEPT 2>&1 > /dev/null" % (kwargs['VIF'], kwargs['IP'], kwargs['MAC']),
+    "/sbin/arptables -D FORWARD --opcode Reply --in-interface %s --source-ip %s --source-mac %s -j ACCEPT 2>&1 > /dev/null" % (kwargs['VIF'], kwargs['IP'], kwargs['MAC']),
+    "/sbin/arptables %s FORWARD --opcode Request --in-interface %s --source-ip %s --source-mac %s -j ACCEPT" % (kwargs['STATUS'], kwargs['VIF'], kwargs['IP'], kwargs['MAC']),
+    "/sbin/arptables %s FORWARD --opcode Reply --in-interface %s --source-ip %s --source-mac %s -j ACCEPT" % (kwargs['STATUS'], kwargs['VIF'], kwargs['IP'], kwargs['MAC'])
+  ]
+
+def ebtables(**kwargs):
+  cmds = [
+    "/sbin/ebtables -D FORWARD -p 0806 -o %s --arp-ip-dst %s -j ACCEPT 2>&1 >> /dev/null" % (kwargs['VIF'], kwargs['IP']),
+    "/sbin/ebtables -D FORWARD -p 0800 -o %s --ip-dst %s -j ACCEPT 2>&1 >> /dev/null" % (kwargs['VIF'], kwargs['IP']),
+    "/sbin/ebtables %s FORWARD -p 0806 -o %s --arp-ip-dst %s -j ACCEPT 2>&1 " % (kwargs['STATUS'], kwargs['VIF'], kwargs['IP']),
+    "/sbin/ebtables %s FORWARD -p 0800 -o %s --ip-dst %s -j ACCEPT 2>&1 " % (kwargs['STATUS'], kwargs['VIF'], kwargs['IP'])
+  ]
+  if kwargs['STATUS'] == "-A":
+    cmds.append("/sbin/ebtables -D FORWARD -s ! %s -i %s -j DROP 2>&1 > /dev/null" % (kwargs['MAC'], kwargs['VIF']))
+    cmds.append("/sbin/ebtables -I FORWARD 1 -s ! %s -i %s -j DROP" % (kwargs['MAC'], kwargs['VIF']))
+  else:
+    cmds.append("/sbin/ebtables %s FORWARD -s ! %s -i %s -j DROP" % (kwargs['STATUS'], kwargs['MAC'], kwargs['VIF']))
+  return cmds
+
+def usage():
+  print "Usage: slice_vifs.py <DOMID> <online|offline> optional: <vif>"
+
+if __name__ == "__main__":
+  if len(sys.argv) < 3:
+    usage()
+  else:
+    main()
author	Antony Messerli <amesserl@rackspace.com>	2010-12-20 10:56:10 -0600
committer	Antony Messerli <amesserl@rackspace.com>	2010-12-20 10:56:10 -0600
commit	2462eab6f02105b15f4686a6183eb043d7b1a5e3 (patch)
tree	e70432124d945e4fbcd45ec2d7f27d175e240837 /plugins
parent	800ecbd713c55d7410d6eb860a439cb87468e7ad (diff)