[libvirt-users] East-west traffic network filter

[Ales Musil]

Hello,

I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?

Thank you.
Best wishes,
Ales Musil

[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
        from a VM by
      - preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>

<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
  <filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
  <rule action='accept' direction='inout' priority='-500'>
    <mac protocolid='arp'/>
  </rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
                <mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
        </rule>
<!-- allow traffic only to specified MAC address -->
        <rule action='accept' direction='out'>
                <mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
        </rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
  <filterref filter='no-other-l2-traffic'/>

<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>


-- 

ALES MUSIL
INTERN - rhv network

Red Hat EMEA <https://www.redhat.com/>


amusil at redhat.com   IM: amusil
<https://red.ht/sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180628/7b122a2e/attachment.htm>