Re: [libvirt] Integrating MAC address based filtering into libvirt
On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote:
Hello,
I am currently investigating the possibility to implement MAC address
based filtering in libvirt and was wondering if there is any related
effort going on and what people in general would think about that.
Great, we certainly need these feature
and the network to which I added a new XML element "filter"
with
attribute "mac", which switches on the MAC address filtering:
root@stenzel-desktop:/etc/libvirt/qemu# cat networks/mynet.xml
<network>
<name>mynet</name>
<uuid>920debe0-c3ef-4395-8241-ee82d4b49c2d</uuid>
<bridge name="br%d" stp="off"/>
<filter mac="on"/>
</network>
the "filter" element is evaluated at startup of libvirtd and a generic
ebtables rules is generated (all frames are dropped):
I think this extra XML element is probably redundant - we should always do
MAC filtering at all times, on all bridges. Not simply those used in a
virtual network, but also those connected to a real physical device too.
I could see having a QEMU driver level configuration option in
/etc/libvirt/qemu.conf though, to turn filtering on/off for the
host as a whole though.
The current prototype implementation is based on the existing
iptables
wrapper in libvirt. I basically cloned the iptables wrapper to an
ebtables wrapper and did some ebtables specific adjustments. There are
currenlty four occasions when the ebtables wrapper is called:
- when creating the network
What do you do to ebtables at this point ?
- when adding a guest to the network
- when removing a guest from the network
Isn't it sufficient to only use ebtables in these two places ?
- when destroying the network (currently not implemented)
These calls can be augmented to also do for example tagged vlan and
protocol filtering.
We probably also want to be able todo IP address filtering too.
ie, if the guest XML has an <ip address> element inside the <interface>
then we should add rules to ensure only IP traffic matching that
source/target address is allowed to pass out/in
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|