[libvirt-users] macvtap direct and ip spoofing
vlad halilov
vlad.halilov at gmail.com
Tue Nov 19 09:00:04 UTC 2013
Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over
macvtap, and found no filtration applied except mac. 'virsh' just silently
ignoring attributes 'filterref' and 'ip address' in different formats. No
error on validate stage. Config examples:
...
<interface type='direct'>
<mac address='52:54:00:31:ae:1a'/>
<source dev='em1' mode='private'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.1.101.44'/>
</filterref>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
...
or like these:
...
<interface type='direct'>
<mac address='52:54:00:31:ae:1a'/>
<source dev='em1' mode='private'/>
<ip address='10.1.101.44'/>
<filterref filter='clean-traffic'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
...
With 'virsh create domain.xml', vm created, but dumpxml show that
filterref is disappeared.
I have not found any success stories with filtering rules and 'direct'
interface types. Is it supported with this type? Or may be other
tricks to protect network from vm spoofing and direct type?
-
vlad f halilov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20131119/15e04b15/attachment.htm>
More information about the libvirt-users
mailing list