Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs

On Wed, 2010-01-13 at 17:36 +0000, Daniel P. Berrange wrote: > In addition the DMTF XML format illustrated above is seriously ugly > and not following the style of other libvirt XML formats. The use > of UPPERCASE alone is reason enough to create a native libvirt format > for this. We should of course ensure that whatever we do can be > reliably mapped into the DMTF format via a simple XSL transform. > > Daniel Hi, we have been thinking about the comments regarding the XML format and hope the following is more in line with other libvirt XML formats: As Stefan proposed originally, the guest interface has an additional firewall. The firewall can have several filters, some of which are generic and template based and some are guest specific. The template filters can take parameters. The filters contain rules, currently for mac, arp, vlan and ip. A rule is applied if the conditions specified by the attributes and their values are true and the specified action will happen. The match attribute can be used to specify that the action should happen if the condition is not true. If an attribute is supplied on a rule but its value is empty (''), the supplied parameter for a template or the respective value for the current interface is used. This will need a few more examples to verify it is sufficient, but here is the current status: The guest xml file: ------------------- <domain type='kvm'> <name>demo</name> <memory>256000</memory> <devices> <interface type="bridge"> <firewall> <filter template='drop-all'/> <filter template='no-arp-spoofing' srcipaddr='10.0.0.1'/> <filter template='no-mac-spoofing'/> <filter template='no-ip-spoofing srcipaddr='10.0.0.1'/> <filter> <!-- allow outgoing IPV4 packets with the guest mac addr and vlanid 3 --> <rule action='allow' direction='out'> <mac srcmacaddr='' /> <vlan id='3'/> <ip version='4'/> </rule> <!-- only accept non-IPV6 packets from 'aa:bb:cc:dd:ee:ff' --> <rule action='allow' direction='in'> <mac srcmacaddr='aa:bb:cc:dd:ee:ff' /> <vlan id='3'/> <ip match='no' version='6'/> </rule> <!-- no access to port 25 allowed --> <rule action='allow' direction='in'> <ip match='no' dstportstart = '25' dstportend = '25' /> </rule> </filter> </firewall> </interface> </devices> </domain>

The template xml files could be similar to this: ------------------------------------------------ <firewall> <!-- by default drop everything --> <template name='drop-all'> <filter policy='drop' /> </template> <template name='no-arp-spoofing'> <filter name='ARP' policy='drop'> <!-- no arp spoofing --> <!-- drop if ipaddr or macaddr does not belong to guest --> <rule action='drop' direction='out'> <arp match='no' srcmacaddr=''/> <arp match='no' srcipaddr='' /> </rule> <!-- drop if ipaddr or macaddr does not belong to guest --> <rule action='drop' direction='in'> <arp match='no' dstmacaddr=' '/> <arp match='no' dstipaddr='' />

</rule> <!-- allow all other request or reply packets --> <rule action='allow' direction='inout'> <arp opcode='request'/> <arp opcode='reply'/> </rule> </filter> </template> <template name='no-mac-spoofing'> <filter name='DLFT'> <!-- no mac spoofing --> <rule action='drop' direction='out'> <mac match='no' srcmacaddr=''/> </rule> </filter> </template> <template name='no-ip-spoofing'> <filter name='IPv4'> <!-- no ip spoofing --> <rule action='drop' direction='out'> <ip match='no' srcipaddr=''/> </rule> </filter> </template>