[libvirt-users] macvtap direct and ip spoofing
Laine Stump
laine at laine.org
Tue Nov 19 10:21:17 UTC 2013
On 11/19/2013 11:00 AM, vlad halilov wrote:
> Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged
> over macvtap, and found no filtration applied except mac. 'virsh' just
> silently ignoring attributes 'filterref' and 'ip address' in different
> formats. No error on validate stage. Config examples:
>
> ...
> <interface type='direct'>
> <mac address='52:54:00:31:ae:1a'/>
> <source dev='em1' mode='private'/>
>
> <filterref filter='clean-traffic'>
> <parameter name='IP' value='10.1.101.44'/>
> </filterref>
>
> <model type='virtio'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
> ...
>
> or like these:
>
> ...
> <interface type='direct'>
> <mac address='52:54:00:31:ae:1a'/>
> <source dev='em1' mode='private'/>
> <ip address='10.1.101.44'/>
> <filterref filter='clean-traffic'/>
> <model type='virtio'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
> ...
>
> With 'virsh create domain.xml', vm created, but dumpxml show that
> filterref is disappeared.
> I have not found any success stories with filtering rules and 'direct' interface types.
> Is it supported with this type? Or may be other tricks to protect network from vm spoofing
> and direct type?
>
The kernel macvtap packet processing bypasses both iptables and
ebtables, so libvirt's filters are ineffective for guest interfaces
using a macvtap connection.
More information about the libvirt-users
mailing list