1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
<table class="head">
<tr>
<td class="head-ltitle">MAC_IPACL(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">MAC_IPACL(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">mac_ipacl</code> — <span class="Nd">IP
Address access control policy</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp">Add the following lines in your kernel configuration file to
compile the IP address access control policy into your kernel:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code>
<br/>
<code class="Cd">options MAC_IPACL</code></div>
<p class="Pp">To load the mac_ipacl policy module at boot time, add the
following line in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div>
<p class="Pp">and in <a class="Xr">loader.conf(5)</a> add:</p>
<p class="Pp"></p>
<div class="Bd
Bd-indent"><code class="Li">mac_ipacl_load="YES"</code></div>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">mac_ipacl</code> policy allows the root of
the host to use the <a class="Xr">sysctl(8)</a> interface to limit the
<a class="Xr">VNET(9)</a> jail's ability to set IPv4 and IPv6 addresses. So,
the host can define rules for jails and their interfaces about IP addresses
with <a class="Xr">sysctl(8)</a> MIBs.</p>
<p class="Pp">Its default behavior is to deny all IP addresses for the jail if
<code class="Nm">mac_ipacl</code> policy is enforced and allow/deny IP (or
subnets) according to the <var class="Va">security.mac.ipacl.rules</var>
string specified with <a class="Xr">sysctl(8)</a></p>
<section class="Ss">
<h2 class="Ss" id="Runtime_Configuration"><a class="permalink" href="#Runtime_Configuration">Runtime
Configuration</a></h2>
<p class="Pp">The following <a class="Xr">sysctl(8)</a> MIBs are used to control
enforcement and behavior of this MAC Policy.</p>
<dl class="Bl-tag">
<dt id="security.mac.ipacl.ipv4"><var class="Va">security.mac.ipacl.ipv4</var></dt>
<dd>Enforce <code class="Nm">mac_ipacl</code> for IPv4 addresses. (Default:
1).</dd>
<dt id="security.mac.ipacl.ipv6"><var class="Va">security.mac.ipacl.ipv6</var></dt>
<dd>Enforce <code class="Nm">mac_ipacl</code> for IPv6 addresses. (Default:
1).</dd>
<dt id="security.mac.ipacl.rules"><var class="Va">security.mac.ipacl.rules</var></dt>
<dd>The IP address access control list is specified in the following format:
<p class="Pp"></p>
<div class="Bd
Bd-indent">jid,allow,interface,addr_family,IP_addr/prefix[@jid,...]</div>
<dl class="Bl-tag">
<dt>jid</dt>
<dd>Describe the jail id of the jail for which the rule is written.</dd>
<dt>allow</dt>
<dd>1 for allow and 0 for deny. Decides action performed for the
rule.</dd>
<dt>interface</dt>
<dd>Name of the interface the rule is enforced for. If the interface is
left empty then it is a wildcard to enforce the rule for all
interfaces.</dd>
<dt>addr_family</dt>
<dd>Address family of the IP_addr. The input to be given as AF_INET or
AF_INET6 string only.</dd>
<dt>IP_addr</dt>
<dd>IP address (or subnet) to be allowed/denied. Action depends on the
prefix length.</dd>
<dt>prefix</dt>
<dd>Prefix length of the subnet to be enforced by the policy. -1 implies
the policy is enforced for the individual IP address. For a
non-negative value, a range of IP addresses (present in subnet) which
is calculated as subnet = IP_addr & mask.</dd>
</dl>
</dd>
</dl>
</section>
</section>
<section class="Sh">
<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1>
<p class="Pp">Behavior of the <code class="Nm">mac_ipacl</code> policy module
for different inputs of sysctl variable:</p>
<dl class="Bl-tag">
<dt>1.</dt>
<dd>Assign ipv4=1, ipv6=0 and
rules="1,1,,AF_INET,169.254.123.123/-1"
<p class="Pp">It allow only 169.254.123.123 IPv4 address for all interfaces
(wildcard) of jail 1. It allows all IPv6 addresses since the policy is
not enforced for IPv6.</p>
</dd>
<dt>2.</dt>
<dd>Assign ipv4=1, ipv6=1 and
rules="1,1,epair0b,AF_INET6,fe80::/32@1,0,epair0b,AF_INET6,fe80::abcd/-1"
<p class="Pp">It denies all IPv4 addresses as the policy is enforced but no
rules are specified about it. It allows all IPv6 addresses in subnet
fe80::/32 except fe80::abcd for interface epair0b only.</p>
</dd>
<dt>3.</dt>
<dd>Assign ipv4=1, ipv6=1,
rules="2,1,,AF_INET6,fc00::/7@2,0,,AF_INET6,fc00::1111:2200/120@2,1,,AF_INET6,fc00::1111:2299/-1@1,1,,AF_INET,198.51.100.0/24"
<p class="Pp">It allows IPv4 in subnet 198.51.100.0/24 for jail 2 and all
interfaces. It allows IPv6 addresses in subnet fc00::/7 but denies
subnet fc00::1111:2200/120, and allows individual IP fc00::1111:2299
from the denied subnet for all interfaces in jail 2.</p>
</dd>
</dl>
Please refer to mac/ipacl tests-framework for wide variety of examples on using
the ipacl module.
</section>
<section class="Sh">
<h1 class="Sh" id="LIMITATIONS/PRECAUTIONS"><a class="permalink" href="#LIMITATIONS/PRECAUTIONS">LIMITATIONS/PRECAUTIONS</a></h1>
<p class="Pp">In the case where multiple rules are applicable to an IP address
or a set of IP addresses, the rule that is defined later in the list
determines the outcome, disregarding any previous rule for that IP
address.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="FUTURE_WORKS"><a class="permalink" href="#FUTURE_WORKS">FUTURE
WORKS</a></h1>
<p class="Pp">Rules are given with sysctl interface which gets very complex to
give them all in command line. It has to be simplified with a better way to
input those rules.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">mac(4)</a>, <a class="Xr">mac(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">The <code class="Nm">mac_ipacl</code> policy module was developed
as a Google Summer of Code Project in 2019 by <span class="An">Shivank
Garg</span>
<<a class="Mt" href="mailto:shivank@FreeBSD.org">shivank@FreeBSD.org</a>>
under the guidance of <span class="An">Bjoern A. Zeeb</span>
<<a class="Mt" href="mailto:bz@FreeBSD.org">bz@FreeBSD.org</a>>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">July 25, 2023</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
