feat(net): Implement IP filtering for TSI backend #9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit introduces IP-based filtering capabilities for the default TSI
(Transparent Socket Impersonation) network backend in libkrun.
A new C API function, `krun_set_tsi_scope`, allows users to configure:
- An optional static IP address for the guest within the host network
namespace. If specified, the guest can only bind/listen on this IP.
- An optional subnet (in CIDR notation) defining the allowed
communication group when scope 1 is used.
- A reachability scope (0-3) controlling network access:
- 0: Deny all IP communication.
- 1: Allow communication only within the specified `subnet`.
- 2: Allow communication only with public (non-private) IPs.
- 3: Allow communication with any IP.
The filtering logic is implemented in `src/devices/src/virtio/vsock/ip_filter.rs`
and integrated into the `VsockMuxer`. It checks destination IPs for connect/sendto
operations and bind IPs for listen operations against the configured rules.
If an operation is denied, an appropriate error (ECONNREFUSED or EACCES)
is sent back to the guest via a vsock control message.
This feature enhances security by allowing finer-grained control over the
network connectivity of krun virtual machines when using the TSI backend.
Changes include:
- Added `krun_set_tsi_scope` to `libkrun.h` and implementation in `lib.rs`.
- Added `ipnetwork` dependency to relevant Cargo.toml files.
- Created `ip_filter.rs` module for filtering logic.
- Updated `Vsock` device, `VsockMuxer`, and `VsockDeviceConfig` to handle
IP, subnet, and scope configuration.
- Integrated filtering checks into `VsockMuxer`'s packet processing methods.
- Added helper functions in `VsockMuxer` to send error responses to the guest.
appcypher
added a commit
that referenced
this pull request
Jun 8, 2025
* feat(net): Implement IP filtering for TSI backend
This commit introduces IP-based filtering capabilities for the default TSI
(Transparent Socket Impersonation) network backend in libkrun.
A new C API function, `krun_set_tsi_scope`, allows users to configure:
- An optional static IP address for the guest within the host network
namespace. If specified, the guest can only bind/listen on this IP.
- An optional subnet (in CIDR notation) defining the allowed
communication group when scope 1 is used.
- A reachability scope (0-3) controlling network access:
- 0: Deny all IP communication.
- 1: Allow communication only within the specified `subnet`.
- 2: Allow communication only with public (non-private) IPs.
- 3: Allow communication with any IP.
The filtering logic is implemented in `src/devices/src/virtio/vsock/ip_filter.rs`
and integrated into the `VsockMuxer`. It checks destination IPs for connect/sendto
operations and bind IPs for listen operations against the configured rules.
If an operation is denied, an appropriate error (ECONNREFUSED or EACCES)
is sent back to the guest via a vsock control message.
This feature enhances security by allowing finer-grained control over the
network connectivity of krun virtual machines when using the TSI backend.
Changes include:
- Added `krun_set_tsi_scope` to `libkrun.h` and implementation in `lib.rs`.
- Added `ipnetwork` dependency to relevant Cargo.toml files.
- Created `ip_filter.rs` module for filtering logic.
- Updated `Vsock` device, `VsockMuxer`, and `VsockDeviceConfig` to handle
IP, subnet, and scope configuration.
- Integrated filtering checks into `VsockMuxer`'s packet processing methods.
- Added helper functions in `VsockMuxer` to send error responses to the guest.
* refactor(net): rename reach to scope in header file
appcypher
added a commit
that referenced
this pull request
Jun 26, 2025
* feat(net): Implement IP filtering for TSI backend
This commit introduces IP-based filtering capabilities for the default TSI
(Transparent Socket Impersonation) network backend in libkrun.
A new C API function, `krun_set_tsi_scope`, allows users to configure:
- An optional static IP address for the guest within the host network
namespace. If specified, the guest can only bind/listen on this IP.
- An optional subnet (in CIDR notation) defining the allowed
communication group when scope 1 is used.
- A reachability scope (0-3) controlling network access:
- 0: Deny all IP communication.
- 1: Allow communication only within the specified `subnet`.
- 2: Allow communication only with public (non-private) IPs.
- 3: Allow communication with any IP.
The filtering logic is implemented in `src/devices/src/virtio/vsock/ip_filter.rs`
and integrated into the `VsockMuxer`. It checks destination IPs for connect/sendto
operations and bind IPs for listen operations against the configured rules.
If an operation is denied, an appropriate error (ECONNREFUSED or EACCES)
is sent back to the guest via a vsock control message.
This feature enhances security by allowing finer-grained control over the
network connectivity of krun virtual machines when using the TSI backend.
Changes include:
- Added `krun_set_tsi_scope` to `libkrun.h` and implementation in `lib.rs`.
- Added `ipnetwork` dependency to relevant Cargo.toml files.
- Created `ip_filter.rs` module for filtering logic.
- Updated `Vsock` device, `VsockMuxer`, and `VsockDeviceConfig` to handle
IP, subnet, and scope configuration.
- Integrated filtering checks into `VsockMuxer`'s packet processing methods.
- Added helper functions in `VsockMuxer` to send error responses to the guest.
* refactor(net): rename reach to scope in header file
appcypher
added a commit
that referenced
this pull request
Jun 26, 2025
* feat(net): Implement IP filtering for TSI backend
This commit introduces IP-based filtering capabilities for the default TSI
(Transparent Socket Impersonation) network backend in libkrun.
A new C API function, `krun_set_tsi_scope`, allows users to configure:
- An optional static IP address for the guest within the host network
namespace. If specified, the guest can only bind/listen on this IP.
- An optional subnet (in CIDR notation) defining the allowed
communication group when scope 1 is used.
- A reachability scope (0-3) controlling network access:
- 0: Deny all IP communication.
- 1: Allow communication only within the specified `subnet`.
- 2: Allow communication only with public (non-private) IPs.
- 3: Allow communication with any IP.
The filtering logic is implemented in `src/devices/src/virtio/vsock/ip_filter.rs`
and integrated into the `VsockMuxer`. It checks destination IPs for connect/sendto
operations and bind IPs for listen operations against the configured rules.
If an operation is denied, an appropriate error (ECONNREFUSED or EACCES)
is sent back to the guest via a vsock control message.
This feature enhances security by allowing finer-grained control over the
network connectivity of krun virtual machines when using the TSI backend.
Changes include:
- Added `krun_set_tsi_scope` to `libkrun.h` and implementation in `lib.rs`.
- Added `ipnetwork` dependency to relevant Cargo.toml files.
- Created `ip_filter.rs` module for filtering logic.
- Updated `Vsock` device, `VsockMuxer`, and `VsockDeviceConfig` to handle
IP, subnet, and scope configuration.
- Integrated filtering checks into `VsockMuxer`'s packet processing methods.
- Added helper functions in `VsockMuxer` to send error responses to the guest.
* refactor(net): rename reach to scope in header file
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit introduces IP-based filtering capabilities for the default TSI (Transparent Socket Impersonation) network backend in libkrun.
A new C API function,
krun_set_tsi_scope, allows users to configure:subnet.The filtering logic is implemented in
src/devices/src/virtio/vsock/ip_filter.rsand integrated into theVsockMuxer. It checks destination IPs for connect/sendto operations and bind IPs for listen operations against the configured rules. If an operation is denied, an appropriate error (ECONNREFUSED or EACCES) is sent back to the guest via a vsock control message.This feature enhances security by allowing finer-grained control over the network connectivity of krun virtual machines when using the TSI backend.
Changes include:
krun_set_tsi_scopetolibkrun.hand implementation inlib.rs.ipnetworkdependency to relevant Cargo.toml files.ip_filter.rsmodule for filtering logic.Vsockdevice,VsockMuxer, andVsockDeviceConfigto handle IP, subnet, and scope configuration.VsockMuxer's packet processing methods.VsockMuxerto send error responses to the guest.