<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 28, 2018 at 2:40 PM Daniel P. Berrangé <<a href="mailto:berrange@redhat.com">berrange@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:<br>
> Hello,<br>
> <br>
> I would like to make filter that allows communication only between<br>
> specified VMs. Those VMs should be specified by their MAC address. The<br>
> filter should extend clean-traffic but I was not able to get it working<br>
> with that reference. I have came up with modified clean-traffic which works<br>
> fine [1]. Is there a way to achieve the same behavior with reference to<br>
> clean-traffic?<br>
<br>
Honestly I think the way you've done it is the right way. "clean-traffic"<br>
is best thought of as a simple demo. If it does what you need, great, but<br>
we'd expect people to create their own filters for anything more advanced.<br>
The clean-traffic rules were modularized so you can use <filterrefs> to<br>
avoid too much duplication. So what you've done looks fine to me.<br>
<br></blockquote><div> </div><div>Alright, thank you. </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> [1]<br>
> <filter name='clean-traffic-gateway'><br>
> <!-- An example of a traffic filter enforcing clean traffic<br>
>         from a VM by<br>
>       - preventing MAC spoofing --><br>
> <filterref filter='no-mac-spoofing'/><br>
> <br>
> <!-- preventing IP spoofing on outgoing --><br>
> <filterref filter='no-ip-spoofing'/><br>
> <!-- preventing ARP spoofing/poisoning --><br>
>   <filterref filter='no-arp-spoofing'/><br>
> <!-- accept all other incoming and outgoing ARP traffic --><br>
>   <rule action='accept' direction='inout' priority='-500'><br>
>     <mac protocolid='arp'/><br>
>   </rule><br>
> <!-- accept traffic only from specified MAC address --><br>
> <rule action='accept' direction='in'><br>
>                 <mac match='yes' srcmacaddr='$GATEWAY_MAC'<br>
> srcmacmask='$GATEWAY_MAC_MASK' /><br>
>         </rule><br>
> <!-- allow traffic only to specified MAC address --><br>
>         <rule action='accept' direction='out'><br>
>                 <mac match='yes' dstmacaddr='$GATEWAY_MAC'<br>
> dstmacmask='$GATEWAY_MAC_MASK' /><br>
>         </rule><br>
> <!-- preventing any other traffic than between specified MACs<br>
> and ARP --><br>
>   <filterref filter='no-other-l2-traffic'/><br>
> <br>
> <!-- allow qemu to send a self-announce upon migration end --><br>
> <filterref filter='qemu-announce-self'/><br>
> </filter><br>
> <br>
> <br>
> -- <br>
> <br>
> ALES MUSIL<br>
> INTERN - rhv network<br>
> <br>
> Red Hat EMEA <<a href="https://www.redhat.com/" rel="noreferrer" target="_blank">https://www.redhat.com/</a>><br>
> <br>
> <br>
> <a href="mailto:amusil@redhat.com" target="_blank">amusil@redhat.com</a>   IM: amusil<br>
> <<a href="https://red.ht/sig" rel="noreferrer" target="_blank">https://red.ht/sig</a>><br>
<br>
> _______________________________________________<br>
> libvirt-users mailing list<br>
> <a href="mailto:libvirt-users@redhat.com" target="_blank">libvirt-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/libvirt-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/libvirt-users</a><br>
<br>
<br>
Regards,<br>
Daniel<br>
-- <br>
|: <a href="https://berrange.com" rel="noreferrer" target="_blank">https://berrange.com</a>      -o-    <a href="https://www.flickr.com/photos/dberrange" rel="noreferrer" target="_blank">https://www.flickr.com/photos/dberrange</a> :|<br>
|: <a href="https://libvirt.org" rel="noreferrer" target="_blank">https://libvirt.org</a>         -o-            <a href="https://fstop138.berrange.com" rel="noreferrer" target="_blank">https://fstop138.berrange.com</a> :|<br>
|: <a href="https://entangle-photo.org" rel="noreferrer" target="_blank">https://entangle-photo.org</a>    -o-    <a href="https://www.instagram.com/dberrange" rel="noreferrer" target="_blank">https://www.instagram.com/dberrange</a> :|<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><p style="color:rgb(136,136,136);font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase">ALES MUSIL</p><font color="#888888"><span style="font-size:10px;text-transform:uppercase">Associate Software Engineer - rhv network</span></font><br><p style="margin:0px;font-size:10px;color:rgb(153,153,153)"><a href="https://www.redhat.com/" style="color:rgb(0,136,206);margin:0px;font-family:overpass,sans-serif" target="_blank">Red Hat EMEA</a></p><p style="margin:0px;font-size:10px;color:rgb(153,153,153)"><br></p><p style="margin:0px 0px 6px;font-size:10px;color:rgb(153,153,153)"><span style="margin:0px;padding:0px"><a href="mailto:amusil@redhat.com" style="color:rgb(0,136,206);margin:0px;font-family:overpass,sans-serif" target="_blank">amusil@redhat.com</a> </span>  IM: amusil</p><table border="0" style="color:rgb(136,136,136);font-size:12.8px"><tbody><tr><td width="100px"><a href="https://red.ht/sig" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.redhat.com/files/brand/email/sig-redhat.png" width="90" height="auto"></a></td></tr></tbody></table></div></div></div></div></div></div></div></div></div>