[libvirt-users] East-west traffic network filter

Thiago Oliveira cpv.thiago at gmail.com
Fri Jun 29 01:39:54 UTC 2018 

Hi Ales,

I would like to prevent the guests from different subnets start a
communication. In other words I have the subnet 192.168.1.0/24 and
192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
guests on 192.168.2.0/24 at the same host. Is this possible using a filter
like yours?

Thank you.

Thiago.

Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil at redhat.com> escreveu:

> Hello,
>
> I would like to make filter that allows communication only between
> specified VMs. Those VMs should be specified by their MAC address. The
> filter should extend clean-traffic but I was not able to get it working
> with that reference. I have came up with modified clean-traffic which works
> fine [1]. Is there a way to achieve the same behavior with reference to
> clean-traffic?
>
> Thank you.
> Best wishes,
> Ales Musil
>
> [1]
> <filter name='clean-traffic-gateway'>
> <!-- An example of a traffic filter enforcing clean traffic
>         from a VM by
>       - preventing MAC spoofing -->
> <filterref filter='no-mac-spoofing'/>
>
> <!-- preventing IP spoofing on outgoing -->
> <filterref filter='no-ip-spoofing'/>
> <!-- preventing ARP spoofing/poisoning -->
>   <filterref filter='no-arp-spoofing'/>
> <!-- accept all other incoming and outgoing ARP traffic -->
>   <rule action='accept' direction='inout' priority='-500'>
>     <mac protocolid='arp'/>
>   </rule>
> <!-- accept traffic only from specified MAC address -->
> <rule action='accept' direction='in'>
>                 <mac match='yes' srcmacaddr='$GATEWAY_MAC'
> srcmacmask='$GATEWAY_MAC_MASK' />
>         </rule>
> <!-- allow traffic only to specified MAC address -->
>         <rule action='accept' direction='out'>
>                 <mac match='yes' dstmacaddr='$GATEWAY_MAC'
> dstmacmask='$GATEWAY_MAC_MASK' />
>         </rule>
> <!-- preventing any other traffic than between specified MACs
> and ARP -->
>   <filterref filter='no-other-l2-traffic'/>
>
> <!-- allow qemu to send a self-announce upon migration end -->
> <filterref filter='qemu-announce-self'/>
> </filter>
>
>
> --
>
> ALES MUSIL
> INTERN - rhv network
>
> Red Hat EMEA <https://www.redhat.com/>
>
>
> amusil at redhat.com   IM: amusil
> <https://red.ht/sig>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180628/1c0de1c7/attachment.htm>

More information about the libvirt-users mailing list