Project

General

Profile

Feature #5198

Want alternate global zone rule set for each ipf netstack

Added by Robert Mustacchi over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
networking
Start date:
2014-10-01
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:

Description

We have lots of occasions where we want to be able to install a set of ipf rules for a zone which we do not want a root user in a zone to be able to undo. This work introduces the notion that each netstack (aside from the global zone) should have two different sets of IPF firewall rules. One that the global zone manages and that the zones inside of the netstack cannot see, and then the normal per-netstack firewall. Packets will pass through the global zone rule set before the local zones for incoming packets, and for outgoing packets they will pass through the local zone's before going through the global zones. This allows it to be modeled as an off-link firewall.

History

#1

Updated by Robert Mustacchi over 5 years ago

  • Assignee set to Rob Gulewich
#2

Updated by Rob Gulewich over 5 years ago

Traffic flow

Diagram of the traffic flow for zones:

Inbound:

    nic ---> [ GZ-controlled rules ] ---> [ per-zone rules ] ---> zone

Outbound:

    nic <--- [ GZ-controlled rules ] <--- [ per-zone rules ] <--- zone

Note that the Global Zone doesn't have a GZ-controlled stack - only the in-zone one.

Command arguments

All of the ipfilter tools have been changed so they can operate on both the in-zone and GZ-controlled ipfilter stacks. GZ-controlled stacks can only be observed and manipulated from the Global Zone: attempting to do this from a inside a non-global zone will result in a "Permission denied setting zone" error. The syntax for these commands is:

ipf(1m):

GZ: Operate on a zone's in-zone stack:

    ipf -V <zone name>

GZ: Operate on a zone's GZ-controlled stack:

    ipf -G -V <zone name>

GZ / non-GZ: Operate on the current zone's in-zone stack:

    ipf -V

(No zone name needs to be specified - this is the old ipf syntax.)

Other ipfilter tools (ipnat(1m), ipfstat(1m), etc.):

GZ: Operate on a zone's in-zone stack:

    ipnat -z <zone name> -l

GZ: Operate on a zone's GZ-controlled stack:

    ipnat -G <zone name> -l

GZ / non-GZ: Operate on the current zone's in-zone stack:

    ipnat -l

(No zone name needs to be specified - this is the old ipf syntax.)

The intention was to make the ipf commands consistent with other illumos commands that already use "-z <zonename>" to operate on a specific zone. The problem with making all of the commands use -z is that ipf(1m) already has a -z option. The problem with making all of them take a zone name as the last argument is that ipmon(1m) already takes an optional argument. In other words, all commands couldn't have the same UI - either ipf or ipmon would have to be inconsistent.

Faced with this choice, I ended up going with -z for consistency with other non-ipf commands.

#3

Updated by Electric Monk about 5 years ago

  • Status changed from New to Closed

git commit 94bdecd9e84ae1042607002db3e64a6849da5874

commit  94bdecd9e84ae1042607002db3e64a6849da5874
Author: Rob Gulewich <robert.gulewich@joyent.com>
Date:   2014-12-11T02:00:29.000Z

    5198 Want alternate global zone rule set for each ipf netstack
    5197 Global zone should be able to manage NGZ ipf state
    Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Reviewed by: Dan McDonald <danmcd@omniti.com>
    Reviewed by: Darren Reed <darrenr@fastmail.net>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF