Restrict Guest VM 802.1q tagging

V

virtualbitz

Member
Nov 6, 2020
39
4
13
33
I'm using OVS and discovered that If I create a VLAN interface on a guest VM that the OVS bridge will allow it. I want to prevent this and only allow untagged traffic to and from the VM. How would I go about doing this?
 
Last edited:
Bump.

Anyone have an answer for this? Is this not possible? In it's current state, it would appear that a compromised VM could participate in any VLAN it likes. This is pretty big security problem.
 
I haven't tried that, but I don't use the default VLAN. The whole point is to use multiple VLANs and prevent untrusted VMs from being able to cross VM boundaries. This is the default behavior on VMware and I'm looking to replicate it here with OVS
 
virtualbitz said:
The whole point is to use multiple VLANs and prevent untrusted VMs from being able to cross VM boundar
Click to expand...
I want to prevent this and only allow untagged traffic to and from the VM
Click to expand...

so, do you want only untagged, or do you want multiple vlans (with a fixed list) inside a vm ?

you can limit the number of vlans going to a vm, editing the vm config file : "netX: ....,trunks=2-4;6;8;9-10" .
It's not available in the gui currently.


Basically, if you don't define any vlan on the vm interface, it's allow any vlan going to the vm. (until you use trunks..).
if you define a vlan, it's forcing the vlan (like an access-vlan on cisco switch).
 
spirit said:
so, do you want only untagged, or do you want multiple vlans (with a fixed list) inside a vm ?

you can limit the number of vlans going to a vm, editing the vm config file : "netX: ....,trunks=2-4;6;8;9-10" .
It's not available in the gui currently.


Basically, if you don't define any vlan on the vm interface, it's allow any vlan going to the vm. (until you use trunks..).
if you define a vlan, it's forcing the vlan (like an access-vlan on cisco switch).
Click to expand...
Even if I define a VLAN on an interface via the UI, I can still create VLAN interfaces on the guest and Proxmox/OVS will allow it
 
Even if I define a VLAN on an interface via the UI, I can still create VLAN interfaces on the guest and Proxmox/OVS will allow it
Click to expand...

That's really strange, looking at ovs doc

Code: 
http://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.html

      vlan_mode: optional string, one of access, dot1q-tunnel, native-tagged,
       native-untagged, or trunk
              The VLAN mode of the port, as described above. When this  column
              is empty, a default mode is selected as follows:

              ·      If  tag contains a value, the port is an access port. The
                     trunks column should be empty.

              ·      Otherwise, the port is a trunk port.  The  trunks  column
                     value is honored if it is present.

and proxmox code

Code: 
my $ovs_bridge_add_port = sub {
    my ($bridge, $iface, $tag, $internal, $trunks) = @_;

    $trunks =~ s/;/,/g if $trunks;

    my $cmd = ['/usr/bin/ovs-vsctl'];
    # first command
    push @$cmd, '--', 'add-port', $bridge, $iface;
    push @$cmd, "tag=$tag" if $tag;
    push @$cmd, "trunks=". join(',', $trunks) if $trunks;
    push @$cmd, "vlan_mode=native-untagged" if $tag && $trunks;
   ...


so, if a tag is defined on the vm nic gui, the ovs port should be in access mode, and only allow this vlan.
 
spirit said:
That's really strange, looking at ovs doc

Code: 
http://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.html

      vlan_mode: optional string, one of access, dot1q-tunnel, native-tagged,
       native-untagged, or trunk
              The VLAN mode of the port, as described above. When this  column
              is empty, a default mode is selected as follows:

              ·      If  tag contains a value, the port is an access port. The
                     trunks column should be empty.

              ·      Otherwise, the port is a trunk port.  The  trunks  column
                     value is honored if it is present.

and proxmox code

Code: 
my $ovs_bridge_add_port = sub {
    my ($bridge, $iface, $tag, $internal, $trunks) = @_;

    $trunks =~ s/;/,/g if $trunks;

    my $cmd = ['/usr/bin/ovs-vsctl'];
    # first command
    push @$cmd, '--', 'add-port', $bridge, $iface;
    push @$cmd, "tag=$tag" if $tag;
    push @$cmd, "trunks=". join(',', $trunks) if $trunks;
    push @$cmd, "vlan_mode=native-untagged" if $tag && $trunks;
   ...


so, if a tag is defined on the vm nic gui, the ovs port should be in access mode, and only allow this vlan.
Click to expand...

I'll do some testing in my lab this morning to confirm one way or the other. Thinking back I may have been testing with an interface that didn't have a VLAN defined in the Proxmox UI.
 
spirit said:
That's really strange, looking at ovs doc

Code: 
http://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.html

      vlan_mode: optional string, one of access, dot1q-tunnel, native-tagged,
       native-untagged, or trunk
              The VLAN mode of the port, as described above. When this  column
              is empty, a default mode is selected as follows:

              ·      If  tag contains a value, the port is an access port. The
                     trunks column should be empty.

              ·      Otherwise, the port is a trunk port.  The  trunks  column
                     value is honored if it is present.

and proxmox code

Code: 
my $ovs_bridge_add_port = sub {
    my ($bridge, $iface, $tag, $internal, $trunks) = @_;

    $trunks =~ s/;/,/g if $trunks;

    my $cmd = ['/usr/bin/ovs-vsctl'];
    # first command
    push @$cmd, '--', 'add-port', $bridge, $iface;
    push @$cmd, "tag=$tag" if $tag;
    push @$cmd, "trunks=". join(',', $trunks) if $trunks;
    push @$cmd, "vlan_mode=native-untagged" if $tag && $trunks;
   ...


so, if a tag is defined on the vm nic gui, the ovs port should be in access mode, and only allow this vlan.
Click to expand...

Ah okay you're right. If a VLAN ID is defined in the Proxmox UI it's behaves as an "access" interface and only untagged traffic belonging to that VLAN ID will be allowed.

I really wasn't expecting the lack of a defined VLAN for a guest to behave as an unpruned trunk port. If any devs are watching this, I think it would be a good idea to let the user know this in the UI when configuring NIC properties for a guest.

Thanks @spirit and @zimbres for looking into it
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back