ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

bridge: Add macspoofchk support

Browse Source 
The new macspoofchk field is added to the bridge plugin to support
anti-mac-spoofing.
When the parameter is enabled, traffic is limited to the mac addresses
of the container interface (the veth peer that is placed in the
container ns).
Any traffic that exits the pod is checked against the source mac address
that is expected. If the mac address is different, the frames are
dropped.

The implementation is using nftables and should only be used on nodes
that support it.

Signed-off-by: Edward Haas <edwardh@redhat.com>
This commit is contained in:
Edward Haas
2021-06-15 21:12:57 +03:00
parent 8632ace977
commit 081ed44a1d
24 changed files with 2132 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
plugins/main/bridge/bridge.go
View File

@ -20,6 +20,7 @@ import (
"fmt"
"io/ioutil"
"net"
"os"
"runtime"
"syscall"
"time"
@ -33,6 +34,7 @@ import (
"github.com/containernetworking/cni/pkg/version"
"github.com/containernetworking/plugins/pkg/ip"
"github.com/containernetworking/plugins/pkg/ipam"
"github.com/containernetworking/plugins/pkg/link"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/utils"
bv "github.com/containernetworking/plugins/pkg/utils/buildversion"
@ -55,6 +57,7 @@ type NetConf struct {
HairpinMode bool `json:"hairpinMode"`
PromiscMode bool `json:"promiscMode"`
Vlan int `json:"vlan"`
MacSpoofChk bool `json:"macspoofchk,omitempty"`
Args struct {
Cni BridgeArgs `json:"cni,omitempty"`
@ -460,6 +463,20 @@ func cmdAdd(args *skel.CmdArgs) error {
},
}
if n.MacSpoofChk {
sc := link.NewSpoofChecker(hostInterface.Name, containerInterface.Mac, uniqueID(args.ContainerID, args.IfName))
if err := sc.Setup(); err != nil {
return err
}
defer func() {
if !success {
if err := sc.Teardown(); err != nil {
fmt.Fprintf(os.Stderr, "%v", err)
}
}
}()
}
if isLayer3 {
// run the IPAM plugin and get back the config to apply
r, err := ipam.ExecAdd(n.IPAM.Type, args.StdinData)
@ -658,6 +675,13 @@ func cmdDel(args *skel.CmdArgs) error {
return err
}
if n.MacSpoofChk {
sc := link.NewSpoofChecker("", "", uniqueID(args.ContainerID, args.IfName))
if err := sc.Teardown(); err != nil {
fmt.Fprintf(os.Stderr, "%v", err)
}
}
if isLayer3 && n.IPMasq {
chain := utils.FormatChainName(n.Name, args.ContainerID)
comment := utils.FormatComment(n.Name, args.ContainerID)
@ -938,3 +962,7 @@ func cmdCheck(args *skel.CmdArgs) error {
return nil
}
func uniqueID(containerID, cniIface string) string {
return containerID + "-" + cniIface
}