[libvirt-users] East-west traffic network filter

Ales Musil amusil at redhat.com
Mon Jul 2 09:05:48 UTC 2018 

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago at gmail.com>
wrote:

> Hi Ales,
>
> I would like to prevent the guests from different subnets start a
> communication. In other words I have the subnet 192.168.1.0/24 and
> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
> guests on 192.168.2.0/24 at the same host. Is this possible using a
> filter like yours?
>
>
Hi Thiago,

so by definition guest from different subnets cannot talk to each other
directly unless they are connected via some router. That means you don't
need any filter for that. If there is a router between the networks and it
is needed for some cases then you could change the filter I have posted to
use IP restriction instead of MAC one e.g [2]. Have not tested it myself
but it should work fine.

Hopefully this helps.

Regards,
Ales.

[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
         from a VM by
       - preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>

<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
   <filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
   <rule action='accept' direction='inout' priority='-500'>
     <mac protocolid='arp'/>
   </rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
                <ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
        </rule>
<!-- allow traffic only to specified MAC address -->
        <rule action='drop' direction='out'>
                <ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
        </rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
   <filterref filter='no-other-l2-traffic'/>

<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>






> Thank you.
>
> Thiago.
>
> Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil at redhat.com>
> escreveu:
>
>> Hello,
>>
>> I would like to make filter that allows communication only between
>> specified VMs. Those VMs should be specified by their MAC address. The
>> filter should extend clean-traffic but I was not able to get it working
>> with that reference. I have came up with modified clean-traffic which works
>> fine [1]. Is there a way to achieve the same behavior with reference to
>> clean-traffic?
>>
>> Thank you.
>> Best wishes,
>> Ales Musil
>>
>> [1]
>> <filter name='clean-traffic-gateway'>
>> <!-- An example of a traffic filter enforcing clean traffic
>>         from a VM by
>>       - preventing MAC spoofing -->
>> <filterref filter='no-mac-spoofing'/>
>>
>> <!-- preventing IP spoofing on outgoing -->
>> <filterref filter='no-ip-spoofing'/>
>> <!-- preventing ARP spoofing/poisoning -->
>>   <filterref filter='no-arp-spoofing'/>
>> <!-- accept all other incoming and outgoing ARP traffic -->
>>   <rule action='accept' direction='inout' priority='-500'>
>>     <mac protocolid='arp'/>
>>   </rule>
>> <!-- accept traffic only from specified MAC address -->
>> <rule action='accept' direction='in'>
>>                 <mac match='yes' srcmacaddr='$GATEWAY_MAC'
>> srcmacmask='$GATEWAY_MAC_MASK' />
>>         </rule>
>> <!-- allow traffic only to specified MAC address -->
>>         <rule action='accept' direction='out'>
>>                 <mac match='yes' dstmacaddr='$GATEWAY_MAC'
>> dstmacmask='$GATEWAY_MAC_MASK' />
>>         </rule>
>> <!-- preventing any other traffic than between specified MACs
>> and ARP -->
>>   <filterref filter='no-other-l2-traffic'/>
>>
>> <!-- allow qemu to send a self-announce upon migration end -->
>> <filterref filter='qemu-announce-self'/>
>> </filter>
>>
>>
>> --
>>
>> ALES MUSIL
>> INTERN - rhv network
>>
>> Red Hat EMEA <https://www.redhat.com/>
>>
>>
>> amusil at redhat.com   IM: amusil
>> <https://red.ht/sig>
>> _______________________________________________
>> libvirt-users mailing list
>> libvirt-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvirt-users
>
>

-- 

ALES MUSIL
Associate Software Engineer - rhv network

Red Hat EMEA <https://www.redhat.com/>


amusil at redhat.com   IM: amusil
<https://red.ht/sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180702/d70d2416/attachment.htm>

More information about the libvirt-users mailing list