[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
Daniel P. Berrange
berrange at redhat.com
Mon Mar 1 16:15:56 UTC 2010
On Mon, Feb 22, 2010 at 01:45:20PM +0100, Gerhard Stenzel wrote:
>
> Hi, here is a preview of a chapter which is eventually intended for the
> libvirt application development guide. It is not final yet, but I feel
> now would be a good moment to gather some first feedback and to
> "finalise" the XML schema which is used in the examples.
Thanks, this is a good idea !
>
> ------------------------------------------------------------------------
>
> 1. Network Filter
>
> 1.1. Overview
>
> 1.2. XML Filter Description Format
>
> 1.2.1. Complex Filter
>
> 1.2.2. Simple Filters
>
> 1.3. Retrieving Information About Filter
>
> 1.3.1. TBD
>
>
> Chapter 1. Network Filter
> ---------------------------
>
> 1.1. Overview
>
> 1.2. XML Filter Description Format
>
> 1.2.1. Complex Filter
>
> 1.2.2. Simple Filters
>
> 1.3. Retrieving Information About Filter
>
> 1.3.1. TBD
>
> This section covers the management and definition of network filters
> using the libvirt API.
>
>
>
>
> 1.2.2. Simple Filters
>
> The following examples of simple filters are predefined and address
> distint filter requirements. The predefined no-arp-spoofing filter drops
> all ARP packets
>
> * originating from the guest if they contain other than the guests IP
> or MAC address
>
> * destined for the guest if they contain other than the guests IP or
> MAC address
>
> It accepts all request or reply ARP packets.
>
> <filter name='no-arp-spoofing' chain='arp'>
Perhaps we should call that 'chain' attribute 'protocol' instead since
that appears to be what you're representing there. I'm wondering how
this should interact with the <filterref> element. eg, you might have
chain='ipv4' on the main filter, and then a <filterref> pointing to
a chain='arp'. One way would be to declare that a <filter> can contain
either <rule> or <filterref>, but not a mixture of both.
> <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
>
> <!-- no arp spoofing -->
> <!-- drop if ipaddr or macaddr does not belong to guest -->
> <rule action='drop' direction='out'>
> <arp match='no' srcmacaddr='$MAC'/>
> </rule>
> <rule action='drop' direction='out'>
> <arp match='no' srcipaddr='$IP' />
> </rule>
> <!-- drop if ipaddr or macaddr odes not belong to guest -->
> <rule action='drop' direction='in'>
> <arp match='no' dstmacaddr='$MAC'/>
> </rule>
> <rule action='drop' direction='in'>
> <arp match='no' dstipaddr='$IP' />
> </rule>
> <!-- accept only request or reply packets -->
> <rule action='accept' direction='inout'>
> <arp opcode='request'/>
> </rule>
> <rule action='accept' direction='inout'>
> <arp opcode='reply'/>
> </rule>
> <!-- drop everything else -->
> <rule action='drop' direction='inout'/>
> </filter>
Generally, your proposal looks good to me.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list