[libvirt] [PATCH] examples: Add clean-traffic-gateway into nwfilters

This filter should be used to limit traffic between VMs based on their MAC adddresses. The MAC address can be set with GATEWAY_MAC and mask with GATEWAY_MAC_MASK variable. Signed-off-by: Ales Musil <amusil(a)redhat.com&gt; --- examples/xml/nwfilter/clean-traffic-gateway.xml | 36 +++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 examples/xml/nwfilter/clean-traffic-gateway.xml diff --git a/examples/xml/nwfilter/clean-traffic-gateway.xml b/examples/xml/nwfilter/clean-traffic-gateway.xml new file mode 100644 index 0000000..d1e7c81 --- /dev/null +++ b/examples/xml/nwfilter/clean-traffic-gateway.xml @@ -0,0 +1,36 @@ +<filter name='clean-traffic-gateway'> + <!-- An example of a traffic filter enforcing clean traffic + from a VM by + - preventing MAC spoofing --> + <filterref filter='no-mac-spoofing'/> + + <!-- preventing IP spoofing on outgoing --> + <filterref filter='no-ip-spoofing'/> + + <!-- preventing ARP spoofing/poisoning --> + <filterref filter='no-arp-spoofing'/> + + <!-- accept all other incoming and outgoing ARP traffic --> + <rule action='accept' direction='inout' priority='-500'> + <mac protocolid='arp'/> + </rule> + + <!-- accept traffic only from specified MAC address --> + <rule action='accept' direction='in'> + <mac match='yes' srcmacaddr='$GATEWAY_MAC' + srcmacmask='$GATEWAY_MAC_MASK'/> + </rule> + + <!-- allow traffic only to specified MAC address --> + <rule action='accept' direction='out'> + <mac match='yes' dstmacaddr='$GATEWAY_MAC' + dstmacmask='$GATEWAY_MAC_MASK'/> + </rule> + + <!-- preventing any other traffic than between specified MACs + and ARP --> + <filterref filter='no-other-l2-traffic'/> + + <!-- allow qemu to send a self-announce upon migration end --> + <filterref filter='qemu-announce-self'/> +</filter> -- 1.8.3.1