Index: share/man/man4/ng_bpf.4 =================================================================== --- share/man/man4/ng_bpf.4 +++ share/man/man4/ng_bpf.4 @@ -170,6 +170,51 @@ ifNotMatch=\\"${NOTMATCHHOOK}\\" \\ ${BPFPROG} } .Ed + +Based on the previous example, it is possible to prevent a jail (or a VM) +from spoofing by allowing only traffic that has the expected ethernet and +IP addresses: +.Bd -literal -offset 4n +#!/bin/sh + +NODEPATH="my_node:" +JAIL_MAC="0a:00:de:ad:be:ef" +JAIL_IP="128.66.1.42" +JAIL_HOOK="jail" +HOST_HOOK="host" +DEBUG_HOOK="nomatch" + +bpf_prog() { + local PATTERN=$1 + + tcpdump -s 8192 -p -ddd ${PATTERN} | ( + read len + echo -n "bpf_prog_len=$len " + echo -n "bpf_prog=[" + while read code jt jf k ; do + echo -n " { code=$code jt=$jt jf=$jf k=$k }" + done + echo " ]" + ) +} + +# Prevent jail from spoofing (filter packets coming from jail) +ngctl msg ${NODEPATH} setprogram { \\ + thisHook=\\"${JAIL_HOOK}\\" \\ + ifMatch=\\"${HOST_HOOK}\\" \\ + ifNotMatch=\\"${DEBUG_HOOK}\\" \\ + $(bpf_prog "ether src ${JAIL_MAC} && src ${JAIL_IP}") \\ +} + +# Prevent jail from receiving spoofed packets (filter packets +# coming from host) +ngctl msg ${NODEPATH} setprogram { \\ + thisHook=\\"${HOST_HOOK}\\" \\ + ifMatch=\\"${JAIL_HOOK}\\" \\ + ifNotMatch=\\"${DEBUG_HOOK}\\" \\ + $(bpf_prog "ether dst ${JAIL_MAC} && dst ${JAIL_IP}") \\ +} +.Ed .Sh SEE ALSO .Xr bpf 4 , .Xr netgraph 4 ,