Re: [libvirt-users] East-west traffic network filter

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best wishes, Ales Musil [1] <filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/> <!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/> <!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter> -- ALES MUSIL INTERN - rhv network Red Hat EMEA <https://www.redhat.com/> amusil(a)redhat.com IM: amusil <https://red.ht/sig> _______________________________________________ libvirt-users mailing list libvirt-users(a)redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users