bridge: Add macspoofchk support #639
Conversation
EdDev
force-pushed
the
bridge-macspoofchk
branch
5 times, most recently
from
b9a0c7e to
000a8b4
Compare
EdDev
changed the title
|
Verification: The change has been tested on kubevirt and confirmed to function properly (nftables config added, mac correctly filtered and configuration removed from node after pod termination). |
EdDev
force-pushed
the
bridge-macspoofchk
branch
2 times, most recently
from
684e240 to
fbb5622
Compare
|
@EdDev can you rebase on top of your container-veth static MAC now that it's merged? |
EdDev
force-pushed
the
bridge-macspoofchk
branch
from
fbb5622 to
0cd73fe
Compare
Done |
EdDev
force-pushed
the
bridge-macspoofchk
branch
from
0cd73fe to
f6bfdc0
Compare
|
@EdDev can you split the PR into two commits one with deps bump and the other with the changes ? |
I am unsure if it is acceptable by the maintainers here, so I prefer to wait with that for their input. |
There was a problem hiding this comment.
Couldn't find any e2e tests for the change. Did I miss something?
AFAIK there are no functional tests which check that the configuration on the system is actually affecting the traffic. The tests here are just checking that the configuration is reaching the system/kernel.
Nevertheless, I have checked this as stated here.
Adding e2e tests to kubevirt should cover this.
EdDev
force-pushed
the
bridge-macspoofchk
branch
from
f6bfdc0 to
bf36e4c
Compare
|
/lgtm |
1 similar comment
|
/lgtm |
As an intermediate and temporary step, consume the changes posted to the CNI bridge [1]. Once the PR is merged into the original repo, this change will be reverted. In case the PR will not be merged into the original repo, we will proceed with a more formal resolution. [1] containernetworking/plugins#639 Signed-off-by: Edward Haas <edwardh@redhat.com>
* components: Consume CNI Bridge with macspoofchk support As an intermediate and temporary step, consume the changes posted to the CNI bridge [1]. Once the PR is merged into the original repo, this change will be reverted. In case the PR will not be merged into the original repo, we will proceed with a more formal resolution. [1] containernetworking/plugins#639 Signed-off-by: Edward Haas <edwardh@redhat.com> * components: Build linux-bridge CNI from new sources This patch builds a new image from the newly updated components.yaml. Signed-off-by: Petr Horáček <phoracek@redhat.com> Co-authored-by: Petr Horáček <phoracek@redhat.com>
EdDev
force-pushed
the
bridge-macspoofchk
branch
from
bf36e4c to
cbec9bf
Compare
|
change: Rebase |
|
This looks good to me. I have a minor bit of bikeshedding that, honestly, can be ignored. Can you also file a PR updating the bridge documentation: https://github.com/containernetworking/cni.dev/blob/main/content/plugins/current/main/bridge.md Thanks! |
|
This should also support MAC to IPv6 addresses as well |
|
hey @EdDev, just to make explicit, what security is this providing? In other words, what is enforced?
Separately, should we add an explicit rule for the gateway? |
EdDev
force-pushed
the
bridge-macspoofchk
branch
2 times, most recently
from
f2ada05 to
aadcf9a
Compare
|
Change: Bumped |
The new macspoofchk field is added to the bridge plugin to support anti-mac-spoofing. When the parameter is enabled, traffic is limited to the mac addresses of the container interface (the veth peer that is placed in the container ns). Any traffic that exits the pod is checked against the source mac address that is expected. If the mac address is different, the frames are dropped. The implementation is using nftables and should only be used on nodes that support it. Signed-off-by: Edward Haas <edwardh@redhat.com>
EdDev
force-pushed
the
bridge-macspoofchk
branch
from
aadcf9a to
081ed44
Compare
I tried to add this to the commit message and the PR description. Therefore, any traffic that exists the pod (on the specific interface), is checked against the source mac address.
The rule is on the veth peer at the host side. It is supposed to handle any L2 traffic from that veth interface, so I do not think we need a special handling if the destination mac address is the gateway. |
mac-spook-check is not handing L3 spoofing (e.g. IP), so I think we are good. |
Ref: containernetworking/plugins#639 Signed-off-by: Edward Haas <edwardh@redhat.com>
Done |
|
@EdDev looks good in general, could you resolve the PR comments that you feel have been addressed? |
|
I think this is ready to go |
As containernetworking/plugins#639 has been merged to the plugins repo, revert back to track it instead of the temporary repo which included the macspoofchk feature. Signed-off-by: Edward Haas <edwardh@redhat.com>
* components: Track the formal CNI plugins repo As containernetworking/plugins#639 has been merged to the plugins repo, revert back to track it instead of the temporary repo which included the macspoofchk feature. Signed-off-by: Edward Haas <edwardh@redhat.com> * components: Rebuild linux bridge image Signed-off-by: Petr Horáček <phoracek@redhat.com> Co-authored-by: Petr Horáček <phoracek@redhat.com>
The new macspoofchk field is added to the bridge plugin to support
anti-mac-spoofing.
When the parameter is enabled, traffic is limited to the mac addresses
of the container interface (the veth peer that is placed in the
container ns).
The implementation is using nftables and should only be used on nodes
that support it.
Notes:
This change is under e2e and functional testing, confirming it works as expected beyond the existing integration tests.The go-nft used in this PR is not a tagged version. Post testing and documentation a tag will be added and the dependency updated.