9/5/2017 - 12:34 PM

BLock gw_mgmt access

BLock gw_mgmt access


[[ $# -ne 1 ]] && echo Incorrect number of pawwametews && exit 1
netid=$1 # in format 00d0

# get interface name and mac of ROS in ()
gwmiface=( $( virsh domiflist routeros_${netid} | awk '/gw_mgmt/{print $1" "$5}' ) )
echo ${gwmiface[@]}
# find OVS portnumber of gwmiface
gwmport=$( ovs-vsctl -f table -d bare --no-heading -- --columns=ofport list Interface ${gwmiface[0]} )
# gwmport should be an int, nothing more

# we define our cookie to be 0x04 netid
# So on with it on gw_mgmt
# first we need to get the mac of gw_mgmt 
hostmac=$(ip -br link show dev gw_mgmt | awk '{print $3}')

# We're adding flows for every ROS with cookie values, so we can delete them when not needed any more
# very basic rules to impair any connection attempts from ROS (natted or not) to Node (10.199....)

cat << EOF | ovs-ofctl add-flows gw_mgmt - 
# no multicast
# arp req from Node
# Don't allow arp reqs from ROS
cookie=0x${netid},table=0,priority=1000,arp,arp_sha=${gwmiface[1]} actions=drop
# allow arp req from
cookie=0x${netid},table=0,priority=1001,arp,arp_spa= actions=NORMAL
# Drop all udp
cookie=0x${netid},table=0,priority=1000,udp,dl_src=${gwmiface[1]} actions=drop
# don't allow tcp connection initiation from ROS
cookie=0x${netid},table=0,priority=1000,tcp,dl_src=${gwmiface[1]} ,tcp_flags=+syn-ack actions=drop
# and don't allow outgoing icmp req from ROS -> Node
cookie=0x${netid},table=0,priority=1000,icmp,dl_src=${gwmiface[1]} ,icmp_type=8 actions=drop