one icon indicating copy to clipboard operation
one copied to clipboard
verified publisher icon OpenNebula

Support IP Spoofing for OVS when more than NICs are attached to a VM

Open OpenNebulaSupport opened this issue 4 years ago • 0 comments

Description If VM has more than one NIC attached to Open vSwitch network with IP Spoofing enabled, the traffic generated bye the second (third, forth, etc) NIC is considered spoofed.

For example, if you have configured a virtual network like this one:

VIRTUAL NETWORK TEMPLATE                                                        
BRIDGE="onebr1"
BRIDGE_TYPE="openvswitch"
DNS="1.1.1.1"
FILTER_IP_SPOOFING="YES"
FILTER_MAC_SPOOFING="YES"
GATEWAY="192.168.150.1"
NETWORK_ADDRESS="192.168.150.0"
NETWORK_MASK="255.255.255.0"
OUTER_VLAN_ID=""
PHYDEV=""
SECURITY_GROUPS="0"
VN_MAD="ovswitch"

And you create a virtual machine with two NICs attached to the OVS network:

$ onevm show 0
VIRTUAL MACHINE 0 INFORMATION                                                   
...                                                                   
VM NICS                                                                         
 ID NETWORK              BRIDGE       IP              MAC               PCI_ID  
  0 ovsnet               onebr1       192.168.150.2   02:00:c0:a8:96:02
  1 ovsnet               onebr1       192.168.150.3   02:00:c0:a8:96:03
...

And another one attached to the OVS netwrok as well:

$ onevm show 1
...                                                                                                                                                                                                                                              
VM NICS                                                                                                                                      
 ID NETWORK              BRIDGE       IP              MAC               PCI_ID                                                               
  1 ovsnet               onebr1       192.168.150.4   02:00:c0:a8:96:04                              
...

As a result, you'll see something like this in the vnet info:

$ onevnet show ovsnet 
...
LEASES                                                                  
AR  OWNER                         MAC              IP                        IP6
0   V:0             02:00:c0:a8:96:02   192.168.150.2                          -
0   V:0             02:00:c0:a8:96:03   192.168.150.3                          -
0   V:1             02:00:c0:a8:96:04   192.168.150.4                          -

At this point, from VM 1 you can ping NIC 0 but not NIC1 of VM 0:

localhost:~# ip a sh eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:c0:a8:96:04 brd ff:ff:ff:ff:ff:ff
    inet 192.168.150.4/24 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::c0ff:fea8:9604/64 scope link 
       valid_lft forever preferred_lft forever
localhost:~# ping -c1 192.168.150.2
PING 192.168.150.2 (192.168.150.2): 56 data bytes
64 bytes from 192.168.150.2: seq=0 ttl=64 time=4.035 ms

--- 192.168.150.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.035/4.035/4.035 ms
localhost:~# ping -c1 192.168.150.3
PING 192.168.150.3 (192.168.150.3): 56 data bytes

--- 192.168.150.3 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

If you dump the flows (on the hypervisor), you'll see something like this:

# ovs-ofctl dump-flows onebr1
 cookie=0x0, duration=1184.051s, table=0, n_packets=672, n_bytes=28992, priority=100,in_port="one-0-0" actions=note:00.00.00.00.00.00,resubmit(,10)
 cookie=0x0, duration=1183.478s, table=0, n_packets=14, n_bytes=1076, priority=100,in_port="one-0-1" actions=note:00.00.00.00.00.01,resubmit(,10)
 cookie=0x0, duration=1146.062s, table=0, n_packets=654, n_bytes=28236, priority=100,in_port="one-1-1" actions=note:00.00.00.01.00.01,resubmit(,10)
 cookie=0x0, duration=2121.516s, table=0, n_packets=21, n_bytes=1398, priority=0 actions=NORMAL
 cookie=0x0, duration=1183.974s, table=10, n_packets=653, n_bytes=27426, priority=50000,arp,in_port="one-0-0",dl_src=02:00:c0:a8:96:02 actions=resubmit(,20)
 cookie=0x0, duration=1183.299s, table=10, n_packets=0, n_bytes=0, priority=50000,arp,in_port="one-0-1",dl_src=02:00:c0:a8:96:03 actions=resubmit(,20)
 cookie=0x0, duration=1146.022s, table=10, n_packets=635, n_bytes=26670, priority=50000,arp,in_port="one-1-1",dl_src=02:00:c0:a8:96:04 actions=resubmit(,20)
 cookie=0x0, duration=1183.947s, table=10, n_packets=19, n_bytes=1566, priority=45000,in_port="one-0-0",dl_src=02:00:c0:a8:96:02 actions=resubmit(,20)
 cookie=0x0, duration=1183.237s, table=10, n_packets=14, n_bytes=1076, priority=45000,in_port="one-0-1",dl_src=02:00:c0:a8:96:03 actions=resubmit(,20)
 cookie=0x0, duration=1145.983s, table=10, n_packets=19, n_bytes=1566, priority=45000,in_port="one-1-1",dl_src=02:00:c0:a8:96:04 actions=resubmit(,20)
 cookie=0x0, duration=1184.024s, table=10, n_packets=0, n_bytes=0, priority=100,in_port="one-0-0" actions=resubmit(,20)
 cookie=0x0, duration=1183.922s, table=10, n_packets=0, n_bytes=0, priority=40000,in_port="one-0-0" actions=drop
 cookie=0x0, duration=1183.422s, table=10, n_packets=0, n_bytes=0, priority=100,in_port="one-0-1" actions=resubmit(,20)
 cookie=0x0, duration=1183.171s, table=10, n_packets=0, n_bytes=0, priority=40000,in_port="one-0-1" actions=drop
 cookie=0x0, duration=1146.049s, table=10, n_packets=0, n_bytes=0, priority=100,in_port="one-1-1" actions=resubmit(,20)
 cookie=0x0, duration=1145.958s, table=10, n_packets=0, n_bytes=0, priority=40000,in_port="one-1-1" actions=drop
 cookie=0x0, duration=1183.898s, table=20, n_packets=20, n_bytes=840, priority=50000,arp,in_port="one-0-0",arp_spa=192.168.150.2 actions=NORMAL
 cookie=0x0, duration=1183.872s, table=20, n_packets=5, n_bytes=490, priority=45000,ip,in_port="one-0-0",nw_src=192.168.150.2 actions=NORMAL
 cookie=0x0, duration=1183.075s, table=20, n_packets=0, n_bytes=0, priority=50000,arp,in_port="one-0-1",arp_spa=192.168.150.3 actions=NORMAL
 cookie=0x0, duration=1183.011s, table=20, n_packets=0, n_bytes=0, priority=45000,ip,in_port="one-0-1",nw_src=192.168.150.3 actions=NORMAL
 cookie=0x0, duration=1145.926s, table=20, n_packets=635, n_bytes=26670, priority=50000,arp,in_port="one-1-1",arp_spa=192.168.150.4 actions=NORMAL
 cookie=0x0, duration=1145.896s, table=20, n_packets=5, n_bytes=490, priority=45000,ip,in_port="one-1-1",nw_src=192.168.150.4 actions=NORMAL
 cookie=0x0, duration=1183.845s, table=20, n_packets=633, n_bytes=26586, priority=49000,arp,in_port="one-0-0" actions=drop
 cookie=0x0, duration=1183.730s, table=20, n_packets=0, n_bytes=0, priority=40000,ip,in_port="one-0-0" actions=drop
 cookie=0x0, duration=1183.699s, table=20, n_packets=13, n_bytes=990, priority=40000,ipv6,in_port="one-0-0" actions=drop
 cookie=0x0, duration=1182.951s, table=20, n_packets=0, n_bytes=0, priority=49000,arp,in_port="one-0-1" actions=drop
 cookie=0x0, duration=1182.715s, table=20, n_packets=0, n_bytes=0, priority=40000,ip,in_port="one-0-1" actions=drop
 cookie=0x0, duration=1182.664s, table=20, n_packets=13, n_bytes=990, priority=40000,ipv6,in_port="one-0-1" actions=drop
 cookie=0x0, duration=1145.862s, table=20, n_packets=0, n_bytes=0, priority=49000,arp,in_port="one-1-1" actions=drop
 cookie=0x0, duration=1145.723s, table=20, n_packets=0, n_bytes=0, priority=40000,ip,in_port="one-1-1" actions=drop
 cookie=0x0, duration=1145.687s, table=20, n_packets=13, n_bytes=990, priority=40000,ipv6,in_port="one-1-1" actions=drop
 cookie=0x0, duration=1183.814s, table=20, n_packets=0, n_bytes=0, priority=44000,udp,in_port="one-0-0",nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=NORMAL
 cookie=0x0, duration=1182.893s, table=20, n_packets=0, n_bytes=0, priority=44000,udp,in_port="one-0-1",nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=NORMAL
 cookie=0x0, duration=1145.835s, table=20, n_packets=0, n_bytes=0, priority=44000,udp,in_port="one-1-1",nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=NORMAL
 cookie=0x0, duration=1183.786s, table=20, n_packets=0, n_bytes=0, priority=44000,icmp6,in_port="one-0-0",ipv6_src=::,icmp_type=133 actions=NORMAL
 cookie=0x0, duration=1183.760s, table=20, n_packets=1, n_bytes=86, priority=44000,icmp6,in_port="one-0-0",ipv6_src=::,icmp_type=135 actions=NORMAL
 cookie=0x0, duration=1182.822s, table=20, n_packets=0, n_bytes=0, priority=44000,icmp6,in_port="one-0-1",ipv6_src=::,icmp_type=133 actions=NORMAL
 cookie=0x0, duration=1182.773s, table=20, n_packets=1, n_bytes=86, priority=44000,icmp6,in_port="one-0-1",ipv6_src=::,icmp_type=135 actions=NORMAL
 cookie=0x0, duration=1145.804s, table=20, n_packets=0, n_bytes=0, priority=44000,icmp6,in_port="one-1-1",ipv6_src=::,icmp_type=133 actions=NORMAL
 cookie=0x0, duration=1145.767s, table=20, n_packets=1, n_bytes=86, priority=44000,icmp6,in_port="one-1-1",ipv6_src=::,icmp_type=135 actions=NORMAL
 cookie=0x0, duration=1183.998s, table=20, n_packets=0, n_bytes=0, priority=100,in_port="one-0-0" actions=NORMAL
 cookie=0x0, duration=1183.362s, table=20, n_packets=0, n_bytes=0, priority=100,in_port="one-0-1" actions=NORMAL
 cookie=0x0, duration=1146.035s, table=20, n_packets=0, n_bytes=0, priority=100,in_port="one-1-1" actions=NORMAL

Note that the flow the traffic is dropped by cookie=0x0, duration=1183.845s, table=20, n_packets=633, n_bytes=26586, priority=49000,arp,in_port="one-0-0" actions=drop.

Use case Support IP Spoofing for OVS when more than NICs are attached to a VM.

Interface Changes Open vSwitch network driver.

Progress Status

  • [ ] Branch created
  • [ ] Code committed to development branch
  • [ ] Testing - QA
  • [ ] Documentation
  • [ ] Release notes - resolved issues, compatibility, known issues
  • [ ] Code committed to upstream release/hotfix branches
  • [ ] Documentation committed to upstream release/hotfix branches

OpenNebulaSupport avatar Nov 24 '21 16:11 OpenNebulaSupport