On Thu, Jun 28, 2018 at 2:40 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:
Hello,
I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?
Honestly I think the way you've done it is the right way. "clean-traffic" is best thought of as a simple demo. If it does what you need, great, but we'd expect people to create their own filters for anything more advanced. The clean-traffic rules were modularized so you can use <filterrefs> to avoid too much duplication. So what you've done looks fine to me.
Alright, thank you.
[1]
<filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
--
ALES MUSIL INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil@redhat.com IM: amusil <https://red.ht/sig>
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
-- ALES MUSIL Associate Software Engineer - rhv network Red Hat EMEA <https://www.redhat.com/> amusil@redhat.com IM: amusil <https://red.ht/sig>