[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs

Stefan Berger stefanb at us.ibm.com
Mon Jan 11 17:55:27 UTC 2010


The following is a proposal to introduce network traffic filtering 
capabilities for the network traffic originating from and destined to 
virtual machines. Libvirt's capabilities will be extended to allow users 
to describe what traffic filtering rules are to be applied on a virtual 
machine (using XML) and libvirt then creates the appropriate ebtables and 
iptables rules and applies those on the host when the virtual machine 
starts up, resumes after suspension or resumes on a new host after 
migration. libvirt tears down the traffic filtering rules when the virtual 
machine shuts down, suspends, or a VM is migrated to another host. It will 
also be possible to modify the filtering rules while a virtual machine is 
running. In this architecture we apply the firewall rules on the outside 
of the virtual machines on the Linux host and make use of the fact that 
virtual machines can be configured by libvirt to have their network 
traffic pass through the host and the host exposes (tap) 'backend' 
interfaces on which the firewall rules can be applied. The application of 
the firewall rules is optional and those who do not want to introduce a 
raw network throughput performance hit on their system due to the 
evaluation of every packet passing through the filtering chains, do not 
have to use these capabilities. An initial implementation would be done 
for libvirt's Qemu support.

As stated above, the application of firewall rules on virtual machines 
will require some form of XML description that lets the user choose what 
type of filtering is to be performed. In effect the user needs to be able 
to tell libvirt which ebtables and iptables rules to generate so that the 
appropriate filtering can be done. We realize that  ebtables and iptables 
have lots of capabilities but think that we need to restrict which 
capabilities can actually be 'reached' through this XML.

The following proposal is based on an XML as defined by the DMTF (
http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf, slide 
10) with extensions for processing of ARP packets.It gives control over 
the evaluation of Ethernet (MAC) frames, ARP packet data and IP header 
information. A (draft) XML skeleton in this case could look as follows:

        <Action>DROP|ACCEPT</Action>   <!-- from FilterEntry --> 

        <TrafficType>incoming [to VM]|outgoing [from VM]</TrafficType> 

                <HdrSrcMACAddr8021>   </HdrSrcMACAddr8021> 
                <HdrSrcMACMask8021>   </HdrSrcMACMask8021> 
                <HdrDestMACAddr8021>  </HdrDestMACAddr8021> 
                <HdrDestMACMask8021>  </HdrDestMACMask8021> 
                <HdrProtocolID8021> numeric and/or string? 
                <HdrVLANID8021>       </HdrVLANID8021> 

                <HWType>       </HWType> 
                <ProtocolType> </ProtocolType> 
                <OPCode>       </OPCode> 
                <SrcMACAddr>   </SrcMACAddr> 
                <SrcIPAddr>    </SrcIPAddr> 
                <DestMACAddr>  </DestMACAddr> 
                <DestIPAddr>   </DestIPAddr> 

                <HdrIPVersion>     </HdrIPVersion> 
                <HdrSrcAddress>    </HdrSrcAddress> 
                <HdrSrcMask>       </HdrSrcMask> 
                <HdrDestAddress>   </HdrDestAddress> 
                <HdrDestMask>      </HdrDestMask> 
                <HdrProtocolID>  numeric and/or string?  </HdrProtocolID> 
                <HdrSrcPortStart>  </HdrSrcPortStart> 
                <HdrSrcPortEnd>    </HdrSrcPortEnd> 
                <HdrDestPortStart> </HdrDestPortStart> 
                <HdrDestPortEnd>   </HdrDestPortEnd> 
                <HdrDSCP>          </HdrDSCP> 


Since the ebtables and iptables command cannot accept all possible 
parameters at the same time, only a certain subset of the above parameters 
may be set for any given filter command. Higher level application writers 
will likely use a library that lets them choose which features they would 
want to have enforced, such as no-broadcast or no-multicast, enforcement 
of MAC spoofing prevention or ARP poisoning prevention, which then 
generates this lower level XML rules in the appropriate order of the 

Further, we will introduce filter pools where a collection of the above 
filter rules can be stored and referenced to by virtual machines' 
individual interface. A reference to such a filter pool entry will be 
given in the interface description and may look as in the following draft 

<interface type='bridge'>
   <source bridge='virbr0'/>
   <script path='vif-bridge'/> 
        <reference profile='generic-layer2' ip_address=''/> 
        <reference profile='VM-specific-layer3'/> 

The above XML has one reference to a generic layer2 filter template XML 
that should be usable by multiple virtual machines but would need to be 
customized with interface-specific parameters. In this case, the IP 
address of the interface is explicitly provided in order to make the 
filter XML template a concrete XML for the particular interface. The MAC 
address of the interface is not explicitly provided since it will already 
have been randomly generated by libvirt at the point when this layer2 
filter XML needs to be converted into concrete ebtables commands/rules. We 
still need to determine how the format of a template should look like, 
though an idea would be to indicate a placeholder for a VM's MAC address 
using THIS_MAC and similarly for the IP address with THIS_IP as 

Further, we would introduce the management of filter 'pools'. Considering 
existing functionality in libvirt and CLI commands for similar type of 
management functionality, the following CLI commands would be added:

virsh nwfilter-create <file> 
virsh nwfilter-destroy <profile name> 
virsh nwfilter-list <options> 
virsh nwfilter-dumpxml <profile name> 
virsh nwfilter-update <filename>      (performs an update on an existing 
profile replacing all rules) 

possibly also: 

virsh nwfilter-edit <profile name> 
virsh nwfilter-create-from <profile name> 

Please let us know what you think of this proposal. 

   Stefan, Gerhard and Vivek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100111/7bcef216/attachment-0001.htm>

More information about the libvir-list mailing list