Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
On Mon, Feb 22, 2010 at 01:45:20PM +0100, Gerhard Stenzel wrote:
Hi, here is a preview of a chapter which is eventually intended for the
libvirt application development guide. It is not final yet, but I feel
now would be a good moment to gather some first feedback and to
"finalise" the XML schema which is used in the examples.
Thanks, this is a good idea !
------------------------------------------------------------------------
1. Network Filter
1.1. Overview
1.2. XML Filter Description Format
1.2.1. Complex Filter
1.2.2. Simple Filters
1.3. Retrieving Information About Filter
1.3.1. TBD
Chapter 1. Network Filter
---------------------------
1.1. Overview
1.2. XML Filter Description Format
1.2.1. Complex Filter
1.2.2. Simple Filters
1.3. Retrieving Information About Filter
1.3.1. TBD
This section covers the management and definition of network filters
using the libvirt API.
1.2.2. Simple Filters
The following examples of simple filters are predefined and address
distint filter requirements. The predefined no-arp-spoofing filter drops
all ARP packets
* originating from the guest if they contain other than the guests IP
or MAC address
* destined for the guest if they contain other than the guests IP or
MAC address
It accepts all request or reply ARP packets.
<filter name='no-arp-spoofing' chain='arp'>
Perhaps we should call that 'chain' attribute 'protocol' instead since
that appears to be what you're representing there. I'm wondering how
this should interact with the <filterref> element. eg, you might have
chain='ipv4' on the main filter, and then a <filterref> pointing to
a chain='arp'. One way would be to declare that a <filter> can contain
either <rule> or <filterref>, but not a mixture of both.
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
<!-- no arp spoofing -->
<!-- drop if ipaddr or macaddr does not belong to guest -->
<rule action='drop' direction='out'>
<arp match='no' srcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out'>
<arp match='no' srcipaddr='$IP' />
</rule>
<!-- drop if ipaddr or macaddr odes not belong to guest -->
<rule action='drop' direction='in'>
<arp match='no' dstmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='in'>
<arp match='no' dstipaddr='$IP' />
</rule>
<!-- accept only request or reply packets -->
<rule action='accept' direction='inout'>
<arp opcode='request'/>
</rule>
<rule action='accept' direction='inout'>
<arp opcode='reply'/>
</rule>
<!-- drop everything else -->
<rule action='drop' direction='inout'/>
</filter>
Generally, your proposal looks good to me.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|