The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7808
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
From 8c882ada631fd7b95052ed4fac2676aa2b5fa1ad Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Tue, 25 Aug 2020 11:21:59 +0100 Subject: [PATCH] doc/security: Adds note about non-IP ethernet frame filtering to stop VLAN QinQ bypass Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- doc/security.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/security.md b/doc/security.md index 9e500ce19a..ad12291be4 100644 --- a/doc/security.md +++ b/doc/security.md @@ -252,8 +252,8 @@ Used together these features can prevent an instance connected to a bridge from These are implemented using either `xtables` (iptables, ip6tables and ebtables) or `nftables`, depending on what is available on the host. -It's worth noting that those options effectively prevent nested containers, at least nested containers on the -same network as their parent. +It's worth noting that those options effectively prevent nested containers from using the parent network with a +different MAC address (i.e using bridged or macvlan NICs). The IP filtering features block ARP and NDP advertisements that contain a spoofed IP, as well as blocking any packets that contain a spoofed source address. @@ -264,6 +264,9 @@ that protocol is blocked from the instance. When `security.ipv6\_filtering` is enabled IPv6 router advertisements are blocked from the instance. +When `security.ipv4\_filtering` or `security.ipv6\_filtering` is enabled, any Ethernet frames that are not ARP, +IPv4 or IPv6 are dropped. This prevents stacked VLAN QinQ (802.1ad) frames from bypassing the IP filtering. + ### Routed NIC security An alternative networking mode is available called `routed` that provides a veth pair between container and host.
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
