[libvirt] Integrating MAC address based filtering into libvirt

Daniel P. Berrange berrange at redhat.com
Wed Aug 19 12:35:24 UTC 2009 

On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote:
> Hello,
> I am currently investigating the possibility to implement MAC address
> based filtering in libvirt and was wondering if there is any related
> effort going on and what people in general would think about that.

Great, we certainly need these feature 

> and the network to which I added a new XML element "filter" with
> attribute "mac", which switches on the MAC address filtering:
> 
> root at stenzel-desktop:/etc/libvirt/qemu# cat networks/mynet.xml 
> <network>
>   <name>mynet</name>
>   <uuid>920debe0-c3ef-4395-8241-ee82d4b49c2d</uuid>
>   <bridge name="br%d" stp="off"/>
>   <filter mac="on"/>
> </network>
> 
> the "filter" element is evaluated at startup of libvirtd and a generic
> ebtables rules is generated (all frames are dropped):

I think this extra XML element is probably redundant - we should always do
MAC filtering at all times, on all bridges. Not simply those used in a 
virtual network, but also those connected to a real physical device too.

I could see having a QEMU driver level configuration option in
/etc/libvirt/qemu.conf though, to turn filtering on/off for the
host as a whole though.

> The current prototype implementation is based on the existing iptables
> wrapper in libvirt. I basically cloned the iptables wrapper to an
> ebtables wrapper and did some ebtables specific adjustments. There are
> currenlty four occasions when the ebtables wrapper is called:
> - when creating the network

What do you do to ebtables at this point ?  

> - when adding a guest to the network
> - when removing a guest from the network

Isn't it sufficient to only use ebtables in these two places ?

> - when destroying the network (currently not implemented)


> These calls can be augmented to also do for example tagged vlan and
> protocol filtering.

We probably also want to be able todo IP address filtering too.

ie, if the guest XML has an <ip address> element inside the <interface>
then we should add rules to ensure only IP traffic matching that 
source/target address is allowed to pass out/in


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list