[libvirt] Integrating MAC address based filtering into libvirt
Daniel P. Berrange
berrange at redhat.com
Wed Aug 19 12:35:24 UTC 2009
On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote:
> Hello,
> I am currently investigating the possibility to implement MAC address
> based filtering in libvirt and was wondering if there is any related
> effort going on and what people in general would think about that.
Great, we certainly need these feature
> and the network to which I added a new XML element "filter" with
> attribute "mac", which switches on the MAC address filtering:
>
> root at stenzel-desktop:/etc/libvirt/qemu# cat networks/mynet.xml
> <network>
> <name>mynet</name>
> <uuid>920debe0-c3ef-4395-8241-ee82d4b49c2d</uuid>
> <bridge name="br%d" stp="off"/>
> <filter mac="on"/>
> </network>
>
> the "filter" element is evaluated at startup of libvirtd and a generic
> ebtables rules is generated (all frames are dropped):
I think this extra XML element is probably redundant - we should always do
MAC filtering at all times, on all bridges. Not simply those used in a
virtual network, but also those connected to a real physical device too.
I could see having a QEMU driver level configuration option in
/etc/libvirt/qemu.conf though, to turn filtering on/off for the
host as a whole though.
> The current prototype implementation is based on the existing iptables
> wrapper in libvirt. I basically cloned the iptables wrapper to an
> ebtables wrapper and did some ebtables specific adjustments. There are
> currenlty four occasions when the ebtables wrapper is called:
> - when creating the network
What do you do to ebtables at this point ?
> - when adding a guest to the network
> - when removing a guest from the network
Isn't it sufficient to only use ebtables in these two places ?
> - when destroying the network (currently not implemented)
> These calls can be augmented to also do for example tagged vlan and
> protocol filtering.
We probably also want to be able todo IP address filtering too.
ie, if the guest XML has an <ip address> element inside the <interface>
then we should add rules to ensure only IP traffic matching that
source/target address is allowed to pass out/in
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list