[libvirt-users] East-west traffic network filter

Thiago Oliveira cpv.thiago at gmail.com
Tue Jul 3 02:10:44 UTC 2018 

Hi Ales,

In fact the router is running at the same KVM host. Automatically the
default gateway for both subnets are added when the subnet is created. I
will try your sugestion and I would like to invite you to try too :)

Thank you very much!

Thiago



Em seg, 2 de jul de 2018 06:05, Ales Musil <amusil at redhat.com> escreveu:

>
>
> On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago at gmail.com>
> wrote:
>
>> Hi Ales,
>>
>> I would like to prevent the guests from different subnets start a
>> communication. In other words I have the subnet 192.168.1.0/24 and
>> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
>> guests on 192.168.2.0/24 at the same host. Is this possible using a
>> filter like yours?
>>
>>
> Hi Thiago,
>
> so by definition guest from different subnets cannot talk to each other
> directly unless they are connected via some router. That means you don't
> need any filter for that. If there is a router between the networks and it
> is needed for some cases then you could change the filter I have posted to
> use IP restriction instead of MAC one e.g [2]. Have not tested it myself
> but it should work fine.
>
> Hopefully this helps.
>
> Regards,
> Ales.
>
> [1]
> <filter name='clean-traffic-ip-gateway'>
> <!-- An example of a traffic filter enforcing clean traffic
>          from a VM by
>        - preventing MAC spoofing -->
> <filterref filter='no-mac-spoofing'/>
>
> <!-- preventing IP spoofing on outgoing -->
> <filterref filter='no-ip-spoofing'/>
> <!-- preventing ARP spoofing/poisoning -->
>    <filterref filter='no-arp-spoofing'/>
> <!-- accept all other incoming and outgoing ARP traffic -->
>    <rule action='accept' direction='inout' priority='-500'>
>      <mac protocolid='arp'/>
>    </rule>
> <!-- accept traffic only from specified MAC address -->
> <rule action='drop' direction='in'>
>                 <ip match='yes' srcipaddr='$GATEWAY_IP'
> srcipmask='$GATEWAY_IP_MASK' />
>         </rule>
> <!-- allow traffic only to specified MAC address -->
>         <rule action='drop' direction='out'>
>                 <ip match='yes' dstipaddr='$GATEWAY_IP'
> dstipmask='$GATEWAY_IP_MASK' />
>         </rule>
> <!-- preventing any other traffic than between specified MACs
> and ARP -->
>    <filterref filter='no-other-l2-traffic'/>
>
> <!-- allow qemu to send a self-announce upon migration end -->
> <filterref filter='qemu-announce-self'/>
> </filter>
>
>
>
>
>
>
>> Thank you.
>>
>> Thiago.
>>
>> Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil at redhat.com>
>> escreveu:
>>
>>> Hello,
>>>
>>> I would like to make filter that allows communication only between
>>> specified VMs. Those VMs should be specified by their MAC address. The
>>> filter should extend clean-traffic but I was not able to get it working
>>> with that reference. I have came up with modified clean-traffic which works
>>> fine [1]. Is there a way to achieve the same behavior with reference to
>>> clean-traffic?
>>>
>>> Thank you.
>>> Best wishes,
>>> Ales Musil
>>>
>>> [1]
>>> <filter name='clean-traffic-gateway'>
>>> <!-- An example of a traffic filter enforcing clean traffic
>>>         from a VM by
>>>       - preventing MAC spoofing -->
>>> <filterref filter='no-mac-spoofing'/>
>>>
>>> <!-- preventing IP spoofing on outgoing -->
>>> <filterref filter='no-ip-spoofing'/>
>>> <!-- preventing ARP spoofing/poisoning -->
>>>   <filterref filter='no-arp-spoofing'/>
>>> <!-- accept all other incoming and outgoing ARP traffic -->
>>>   <rule action='accept' direction='inout' priority='-500'>
>>>     <mac protocolid='arp'/>
>>>   </rule>
>>> <!-- accept traffic only from specified MAC address -->
>>> <rule action='accept' direction='in'>
>>>                 <mac match='yes' srcmacaddr='$GATEWAY_MAC'
>>> srcmacmask='$GATEWAY_MAC_MASK' />
>>>         </rule>
>>> <!-- allow traffic only to specified MAC address -->
>>>         <rule action='accept' direction='out'>
>>>                 <mac match='yes' dstmacaddr='$GATEWAY_MAC'
>>> dstmacmask='$GATEWAY_MAC_MASK' />
>>>         </rule>
>>> <!-- preventing any other traffic than between specified MACs
>>> and ARP -->
>>>   <filterref filter='no-other-l2-traffic'/>
>>>
>>> <!-- allow qemu to send a self-announce upon migration end -->
>>> <filterref filter='qemu-announce-self'/>
>>> </filter>
>>>
>>>
>>> --
>>>
>>> ALES MUSIL
>>> INTERN - rhv network
>>>
>>> Red Hat EMEA <https://www.redhat.com/>
>>>
>>>
>>> amusil at redhat.com   IM: amusil
>>> <https://red.ht/sig>
>>> _______________________________________________
>>> libvirt-users mailing list
>>> libvirt-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/libvirt-users
>>
>>
>
> --
>
> ALES MUSIL
> Associate Software Engineer - rhv network
>
> Red Hat EMEA <https://www.redhat.com/>
>
>
> amusil at redhat.com   IM: amusil
> <https://red.ht/sig>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180702/aace8fc6/attachment.htm>

More information about the libvirt-users mailing list