Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 1 Aug 2020 14:51:44 +0000
From:      Mark Raynsford <list+org.freebsd.virtualization@io7m.com>
To:        freebsd-virtualization@freebsd.org
Subject:   Restricting IP ranges for guests over tap devices
Message-ID:  <20200801145144.7bf342d9@sunflower.int.arc7.info>
next in thread | raw e-mail | index | archive | help 
--Sig_/EmyCu6p8G8MCXNxzrkk+4yY
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Hello!

Let's say I have a machine running a few dozen bhyve guests. Each bhyve
guest gets its own tap device, and all of the tap devices are connected
to a bridge.

Everything works fine. I can write pf rules that control access between
each guest, and between each guest and the world. I can't directly
observe the IP addresses that the guests have assigned to the tap
devices I gave them, but if I know the addresses beforehand, I can for
example write pf rules that say things like:

  block log all
  pass in on tap23 proto tcp \
    from any to $guest_23_ip port ssh modulate state

That then means that even if the guest is compromised and tries to bind
a server to another address, the pf rules won't allow anyone else to
actually connect to it.

The good thing about this is also the bad thing about this; I have to
write specific rules that say "only allow access to this specific IP
via this specific tap device". Over dozens of guests, that can multiply
to hundreds of laboriously maintained rules.

Is there some more general way I can supply a mapping between tap
devices and allowed addresses? Remember that pf can't see the guest
addresses on the host sides of the tap devices, so I can't use the
(device) syntax to expand to "the address of a NIC called 'device'".

I can generate rule sets, but perhaps there's something "better"[0]? The
documentation isn't suggesting much.

[0] Better in the sense that, for example, a table is usually better
    than a massive list of macros. :)

--
Mark Raynsford | https://www.io7m.com


--Sig_/EmyCu6p8G8MCXNxzrkk+4yY
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTjaYHtEw209o1CAki7/9t1W67ZXQUCXyWBgAAKCRC7/9t1W67Z
XS5bAPsGUhS+D8eewNrpesIPgQEwFPDtyZeB361ZxRupWwsiLgEAtTb8pj0H8zrx
eKyRN0cNpV4VrfZfU70YfS81fpIX2Qw=
=GHWQ
-----END PGP SIGNATURE-----

--Sig_/EmyCu6p8G8MCXNxzrkk+4yY--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200801145144.7bf342d9>