[libvirt-users] East-west traffic network filter

Ales Musil amusil at redhat.com
Mon Jul 2 08:55:53 UTC 2018 

On Thu, Jun 28, 2018 at 2:40 PM Daniel P. Berrangé <berrange at redhat.com>
wrote:

> On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:
> > Hello,
> >
> > I would like to make filter that allows communication only between
> > specified VMs. Those VMs should be specified by their MAC address. The
> > filter should extend clean-traffic but I was not able to get it working
> > with that reference. I have came up with modified clean-traffic which
> works
> > fine [1]. Is there a way to achieve the same behavior with reference to
> > clean-traffic?
>
> Honestly I think the way you've done it is the right way. "clean-traffic"
> is best thought of as a simple demo. If it does what you need, great, but
> we'd expect people to create their own filters for anything more advanced.
> The clean-traffic rules were modularized so you can use <filterrefs> to
> avoid too much duplication. So what you've done looks fine to me.
>
>
Alright, thank you.

> [1]
> > <filter name='clean-traffic-gateway'>
> > <!-- An example of a traffic filter enforcing clean traffic
> >         from a VM by
> >       - preventing MAC spoofing -->
> > <filterref filter='no-mac-spoofing'/>
> >
> > <!-- preventing IP spoofing on outgoing -->
> > <filterref filter='no-ip-spoofing'/>
> > <!-- preventing ARP spoofing/poisoning -->
> >   <filterref filter='no-arp-spoofing'/>
> > <!-- accept all other incoming and outgoing ARP traffic -->
> >   <rule action='accept' direction='inout' priority='-500'>
> >     <mac protocolid='arp'/>
> >   </rule>
> > <!-- accept traffic only from specified MAC address -->
> > <rule action='accept' direction='in'>
> >                 <mac match='yes' srcmacaddr='$GATEWAY_MAC'
> > srcmacmask='$GATEWAY_MAC_MASK' />
> >         </rule>
> > <!-- allow traffic only to specified MAC address -->
> >         <rule action='accept' direction='out'>
> >                 <mac match='yes' dstmacaddr='$GATEWAY_MAC'
> > dstmacmask='$GATEWAY_MAC_MASK' />
> >         </rule>
> > <!-- preventing any other traffic than between specified MACs
> > and ARP -->
> >   <filterref filter='no-other-l2-traffic'/>
> >
> > <!-- allow qemu to send a self-announce upon migration end -->
> > <filterref filter='qemu-announce-self'/>
> > </filter>
> >
> >
> > --
> >
> > ALES MUSIL
> > INTERN - rhv network
> >
> > Red Hat EMEA <https://www.redhat.com/>
> >
> >
> > amusil at redhat.com   IM: amusil
> > <https://red.ht/sig>
>
> > _______________________________________________
> > libvirt-users mailing list
> > libvirt-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/libvirt-users
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-
> https://www.instagram.com/dberrange :|
>


-- 

ALES MUSIL
Associate Software Engineer - rhv network

Red Hat EMEA <https://www.redhat.com/>


amusil at redhat.com   IM: amusil
<https://red.ht/sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180702/eecc448f/attachment.htm>

More information about the libvirt-users mailing list