Skip to main content
Version: Next

Network Filtering (IP Anti-Hijacking)

Since version 3.0, VirtFusion has built in native bridge network filtering.

The following filters are available:

  • None No filters will be applied to any virtual servers on the hypervisor.
  • Libvirt A standard set of filters to prevent MAC spoofing, IP stealing and various other filters to clean traffic.
  • Native Standard This filter applies the same rule sets as Libvirt.
  • Native Performance (IPv4) A minimal rule set to prevent IPv4 MAC spoofing and IP stealing. IPv6 is not filtered.
  • Native Performance (IPv4 + IPv6) A minimal rule set to prevent IPv4 and IPv6 MAC spoofing, IP stealing and various ICMPv6 codes ( including router advertisement).

Existing hypervisors (added pre v2.4) will continue to use Libvirt filters until native filters are enabled on a per hypervisor basis. Any hypervisors added post v2.4 will have Native Performance (IPv4 + IPv6) filters enabled by default.

If you would like to switch your existing hypervisors to native filtering (or vice versa), you may change The Network Filtering type under the hypervisor settings.

network

Changing this setting will only enable the selected filter type for new servers or servers that have had an action run against them. You can force a configuration and filter update with this control server CLI command to force a full change and update.

Creating a Custom Filter

info

You most likely don't need to do this. VirtFusion by default has an adequate filter for most use cases.

At the moment, only a single filter is supported. This means all your rules must be included in a single file and in the correct order.

You may override any of the native filters. You can do so by copying the original filter to a custom location.

FilterLocation
Native Standard/opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/standard.json
Native Performance (IPv4)/opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance.json
Native Performance (IPv4 + IPv6)/opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance-v6.json

To copy the Standard filter.

cp /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/standard.json /home/vf-data/conf/netfilters/standard.json

To copy the Native Performance (IPv4) filter.

cp /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance.json /home/vf-data/conf/netfilters/performance.json

To copy the Native Performance (IPv4 + IPv6) filter.

cp /opt/virtfusion/app/hypervisor/app/Configurations/NetworkFilter/Native/performance-v6.json /home/vf-data/conf/netfilters/performance-v6.json

Now that your custom filter exists, the original filter will be ignored.

All content in the filter should be valid JSON and contain a set and unset parameter.

Each rule should be specified as follows.

{
"service": "ebtables",
"table": "nat",
"type": "rule",
"cmd": ["-X", "vf-pre-[[VF_INTERFACE]]"]
}
  • service should be ebtables
  • table should be nat or filter. If omitted, nat will be used.
  • type can be either rule, rule-repeat-ipv4 or rule-repeat-ipv6
  • cmd should be an array of the command to be executed.

The following global placeholders are available.

  • [[VF_INTERFACE]] is the interface name.
  • [[VF_MAC]] is the MAC address for the interface.

Additionally the following placeholders are available in rule-repeat-ipv4 or rule-repeat-ipv6.

  • [[VF_IP]] an ipaddress.
  • [[VF_CIDR]] the cidr of the ipaddress.

Control Server CLI Commands

Rewrite all server filters by hypervisor

vfcli-ctrl server:configurations HYPERVISOR_ID --options=network

Hypervisor CLI Commands

These commands are generally not required, but useful for testing.

Rewrite all server filters

vfcli-hv server:filters set

Rewrite filters for a specific server

vfcli-hv server:filters set UUID

UUID should be replaced with the UUID of the server.

Rewrite all server filters based on the last known server configuration

vfcli-hv server:filters set-build-force

Rewrite filters for a specific server based on the last known server configuration

vfcli-hv server:filters set-build-force UUID

UUID should be replaced with the UUID of the server.

Unset (remove) all filters

vfcli-hv server:filters unset

Unset (remove) filters for a specific server

vfcli-hv server:filters unset UUID

UUID should be replaced with the UUID of the server.

Other Important Notes

If you use ebtables outside of VirtFusion (custom scripts) we highly suggest to use the following execution command.

/usr/bin/flock /var/tmp/vf-ebtables /usr/sbin/ebtables

This will allow all commands to run concurrently and interference free.