Network Filtering (IP Anti-Hijacking)
Since version 3.0, VirtFusion has built in native bridge network filtering.
The following filters are available:
None
No filters will be applied to any virtual servers on the hypervisor.Libvirt
A standard set of filters to prevent MAC spoofing, IP stealing and various other filters to clean traffic.Native Standard
This filter applies the same rule sets asLibvirt
.Native Performance (IPv4)
A minimal rule set to prevent IPv4 MAC spoofing and IP stealing. IPv6 is not filtered.Native Performance (IPv4 + IPv6)
A minimal rule set to prevent IPv4 and IPv6 MAC spoofing, IP stealing and various ICMPv6 codes ( including router advertisement).
Existing hypervisors (added pre v2.4) will continue to use Libvirt filters until native filters are enabled on a per
hypervisor basis. Any hypervisors added post v2.4 will have Native Performance (IPv4 + IPv6)
filters enabled by default.
If you would like to switch your existing hypervisors to native filtering (or vice versa), you may change
The Network Filtering
type under the hypervisor settings.
Changing this setting will only enable the selected filter type for new servers or servers that have had an action run against them. You can force a configuration and filter update with this control server CLI command to force a full change and update.
Creating a Custom Filter
You most likely don't need to do this. VirtFusion by default has an adequate filter for most use cases.
At the moment, only a single filter is supported. This means all your rules must be included in a single file and in the correct order.
You may override any of the native filters. You can do so by copying the original filter to a custom location.
Filter | Location |
---|---|
Native Standard | /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/standard.json |
Native Performance (IPv4) | /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance.json |
Native Performance (IPv4 + IPv6) | /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance-v6.json |
To copy the Standard filter.
cp /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/standard.json /home/vf-data/conf/netfilters/standard.json
To copy the Native Performance (IPv4) filter.
cp /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance.json /home/vf-data/conf/netfilters/performance.json
To copy the Native Performance (IPv4 + IPv6) filter.
cp /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance-v6.json /home/vf-data/conf/netfilters/performance-v6.json
Now that your custom filter exists, the original filter will be ignored.
All content in the filter should be valid JSON and contain a set
and unset
parameter.
Each rule should be specified as follows.
{
"service": "ebtables",
"table": "nat",
"type": "rule",
"cmd": ["-X", "vf-pre-[[VF_INTERFACE]]"]
}
service
should beebtables
table
should benat
orfilter
. If omitted,nat
will be used.type
can be eitherrule
,rule-repeat-ipv4
orrule-repeat-ipv6
cmd
should be an array of the command to be executed.
The following global placeholders are available.
[[VF_INTERFACE]]
is the interface name.[[VF_MAC]]
is the MAC address for the interface.
Additionally the following placeholders are available in rule-repeat-ipv4
or rule-repeat-ipv6
.
[[VF_IP]]
an ipaddress.[[VF_CIDR]]
the cidr of the ipaddress.
Control Server CLI Commands
Rewrite all server filters by hypervisor
vfcli-ctrl server:configurations HYPERVISOR_ID --options=network
Hypervisor CLI Commands
These commands are generally not required, but useful for testing.
Rewrite all server filters
vfcli-hv server:filters set
Rewrite filters for a specific server
vfcli-hv server:filters set UUID
UUID should be replaced with the UUID of the server.
Rewrite all server filters based on the last known server configuration
vfcli-hv server:filters set-build-force
Rewrite filters for a specific server based on the last known server configuration
vfcli-hv server:filters set-build-force UUID
UUID should be replaced with the UUID of the server.
Unset (remove) all filters
vfcli-hv server:filters unset
Unset (remove) filters for a specific server
vfcli-hv server:filters unset UUID
UUID should be replaced with the UUID of the server.
Other Important Notes
If you use ebtables outside of VirtFusion (custom scripts) we highly suggest to use the following execution command.
/usr/bin/flock /var/tmp/vf-ebtables /usr/sbin/ebtables
This will allow all commands to run concurrently and interference free.