[libvirt] [PATCH] examples: Add clean-traffic-gateway into nwfilters
Ales Musil
amusil at redhat.com
Thu Jul 12 06:07:55 UTC 2018
This filter should be used to limit traffic between VMs
based on their MAC adddresses. The MAC address can be
set with GATEWAY_MAC and mask with GATEWAY_MAC_MASK
variable.
Signed-off-by: Ales Musil <amusil at redhat.com>
---
examples/xml/nwfilter/clean-traffic-gateway.xml | 36 +++++++++++++++++++++++++
1 file changed, 36 insertions(+)
create mode 100644 examples/xml/nwfilter/clean-traffic-gateway.xml
diff --git a/examples/xml/nwfilter/clean-traffic-gateway.xml b/examples/xml/nwfilter/clean-traffic-gateway.xml
new file mode 100644
index 0000000..d1e7c81
--- /dev/null
+++ b/examples/xml/nwfilter/clean-traffic-gateway.xml
@@ -0,0 +1,36 @@
+<filter name='clean-traffic-gateway'>
+ <!-- An example of a traffic filter enforcing clean traffic
+ from a VM by
+ - preventing MAC spoofing -->
+ <filterref filter='no-mac-spoofing'/>
+
+ <!-- preventing IP spoofing on outgoing -->
+ <filterref filter='no-ip-spoofing'/>
+
+ <!-- preventing ARP spoofing/poisoning -->
+ <filterref filter='no-arp-spoofing'/>
+
+ <!-- accept all other incoming and outgoing ARP traffic -->
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+
+ <!-- accept traffic only from specified MAC address -->
+ <rule action='accept' direction='in'>
+ <mac match='yes' srcmacaddr='$GATEWAY_MAC'
+ srcmacmask='$GATEWAY_MAC_MASK'/>
+ </rule>
+
+ <!-- allow traffic only to specified MAC address -->
+ <rule action='accept' direction='out'>
+ <mac match='yes' dstmacaddr='$GATEWAY_MAC'
+ dstmacmask='$GATEWAY_MAC_MASK'/>
+ </rule>
+
+ <!-- preventing any other traffic than between specified MACs
+ and ARP -->
+ <filterref filter='no-other-l2-traffic'/>
+
+ <!-- allow qemu to send a self-announce upon migration end -->
+ <filterref filter='qemu-announce-self'/>
+</filter>
--
1.8.3.1
More information about the libvir-list
mailing list