[libvirt] Integrating MAC address based filtering into libvirt
Gerhard Stenzel
gstenzel at linux.vnet.ibm.com
Wed Aug 19 12:54:48 UTC 2009
On Wed, 2009-08-19 at 13:35 +0100, Daniel P. Berrange wrote:
> On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote:
...
> I think this extra XML element is probably redundant - we should always do
> MAC filtering at all times, on all bridges. Not simply those used in a
> virtual network, but also those connected to a real physical device too.
>
I used the extra XML element as a means to switch filtering on and off,
I am not passionate about it.
> I could see having a QEMU driver level configuration option in
> /etc/libvirt/qemu.conf though, to turn filtering on/off for the
> host as a whole though.
>
Fine with me, if that is the preferred way.
> > The current prototype implementation is based on the existing iptables
> > wrapper in libvirt. I basically cloned the iptables wrapper to an
> > ebtables wrapper and did some ebtables specific adjustments. There are
> > currenlty four occasions when the ebtables wrapper is called:
> > - when creating the network
>
> What do you do to ebtables at this point ?
>
The "filter" element is evaluated at startup of libvirtd and a generic
ebtables rules is generated to drop all frames. This could be changed to
use the config option.
> > - when adding a guest to the network
> > - when removing a guest from the network
>
> Isn't it sufficient to only use ebtables in these two places ?
>
I think some generic settings should be dowe at libvirtd startup ...
> > - when destroying the network (currently not implemented)
>
... and some reasonable state should be restored at libvirtd shutdown,
but that might be unnecessary.
>
> > These calls can be augmented to also do for example tagged vlan and
> > protocol filtering.
>
> We probably also want to be able todo IP address filtering too.
>
IP address filtering, VLAN tag filtering and similar are further down on my list.
> ie, if the guest XML has an <ip address> element inside the <interface>
> then we should add rules to ensure only IP traffic matching that
> source/target address is allowed to pass out/in
>
>
> Daniel
--
Best regards,
Gerhard Stenzel,
-----------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Erich Baier
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
More information about the libvir-list
mailing list