Re: [libvirt-users] East-west traffic network filter

On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote: > Hello, > > I would like to make filter that allows communication only between > specified VMs. Those VMs should be specified by their MAC address. The > filter should extend clean-traffic but I was not able to get it working > with that reference. I have came up with modified clean-traffic which works > fine [1]. Is there a way to achieve the same behavior with reference to > clean-traffic? Honestly I think the way you've done it is the right way. "clean-traffic" is best thought of as a simple demo. If it does what you need, great, but we'd expect people to create their own filters for anything more advanced. The clean-traffic rules were modularized so you can use <filterrefs> to avoid too much duplication. So what you've done looks fine to me.

[1] > <filter name='clean-traffic-gateway'> > <!-- An example of a traffic filter enforcing clean traffic > from a VM by > - preventing MAC spoofing --> > <filterref filter='no-mac-spoofing'/> > > <!-- preventing IP spoofing on outgoing --> > <filterref filter='no-ip-spoofing'/> > <!-- preventing ARP spoofing/poisoning --> > <filterref filter='no-arp-spoofing'/> > <!-- accept all other incoming and outgoing ARP traffic --> > <rule action='accept' direction='inout' priority='-500'> > <mac protocolid='arp'/> > </rule> > <!-- accept traffic only from specified MAC address --> > <rule action='accept' direction='in'> > <mac match='yes' srcmacaddr='$GATEWAY_MAC' > srcmacmask='$GATEWAY_MAC_MASK' /> > </rule> > <!-- allow traffic only to specified MAC address --> > <rule action='accept' direction='out'> > <mac match='yes' dstmacaddr='$GATEWAY_MAC' > dstmacmask='$GATEWAY_MAC_MASK' /> > </rule> > <!-- preventing any other traffic than between specified MACs > and ARP --> > <filterref filter='no-other-l2-traffic'/> > > <!-- allow qemu to send a self-announce upon migration end --> > <filterref filter='qemu-announce-self'/> > </filter> > > > -- > > ALES MUSIL > INTERN - rhv network > > Red Hat EMEA <https://www.redhat.com/> > > > amusil(a)redhat.com IM: amusil > <https://red.ht/sig> > _______________________________________________ > libvirt-users mailing list > libvirt-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|