[libvirt] Integrating MAC address based filtering into libvirt

Gerhard Stenzel gstenzel at linux.vnet.ibm.com
Wed Aug 19 12:54:48 UTC 2009 

On Wed, 2009-08-19 at 13:35 +0100, Daniel P. Berrange wrote:
> On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote:
...
> I think this extra XML element is probably redundant - we should always do
> MAC filtering at all times, on all bridges. Not simply those used in a 
> virtual network, but also those connected to a real physical device too.
> 
I used the extra XML element as a means to switch filtering on and off,
I am not passionate about it.

> I could see having a QEMU driver level configuration option in
> /etc/libvirt/qemu.conf though, to turn filtering on/off for the
> host as a whole though.
> 
Fine with me, if that is the preferred way.

> > The current prototype implementation is based on the existing iptables
> > wrapper in libvirt. I basically cloned the iptables wrapper to an
> > ebtables wrapper and did some ebtables specific adjustments. There are
> > currenlty four occasions when the ebtables wrapper is called:
> > - when creating the network
> 
> What do you do to ebtables at this point ?  
> 
The "filter" element is evaluated at startup of libvirtd and a generic
ebtables rules is generated to drop all frames. This could be changed to
use the config option.

> > - when adding a guest to the network
> > - when removing a guest from the network
> 
> Isn't it sufficient to only use ebtables in these two places ?
> 
I think some generic settings should be dowe at libvirtd startup ... 

> > - when destroying the network (currently not implemented)
> 
... and some reasonable state should be restored at libvirtd shutdown,
but that might be unnecessary.

> 
> > These calls can be augmented to also do for example tagged vlan and
> > protocol filtering.
> 
> We probably also want to be able todo IP address filtering too.
> 
IP address filtering, VLAN tag filtering and similar are further down on my list.

> ie, if the guest XML has an <ip address> element inside the <interface>
> then we should add rules to ensure only IP traffic matching that 
> source/target address is allowed to pass out/in
> 
> 
> Daniel
-- 
Best regards, 

Gerhard Stenzel, 
-----------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Erich Baier
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

More information about the libvir-list mailing list