On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote:
Hi Ales,I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours?
Hi Thiago,
so by definition guest from different subnets cannot talk to each other directly unless they are connected via some router. That means you don't need any filter for that. If there is a router between the networks and it is needed for some cases then you could change the filter I have posted to use IP restriction instead of MAC one e.g [2]. Have not tested it myself but it should work fine.
Hopefully this helps.
Regards,
Ales.
Ales.
[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
<ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='drop' direction='out'>
<ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
Thank you.Thiago.Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com> escreveu:Hello,_______________________________________________I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?Thank you.Best wishes,
Ales Musil[1]<filter name='clean-traffic-gateway'><!-- An example of a traffic filter enforcing clean trafficfrom a VM by- preventing MAC spoofing --><filterref filter='no-mac-spoofing'/><!-- preventing IP spoofing on outgoing --><filterref filter='no-ip-spoofing'/><!-- preventing ARP spoofing/poisoning --><filterref filter='no-arp-spoofing'/><!-- accept all other incoming and outgoing ARP traffic --><rule action='accept' direction='inout' priority='-500'><mac protocolid='arp'/></rule><!-- accept traffic only from specified MAC address --><rule action='accept' direction='in'><mac match='yes' srcmacaddr='$GATEWAY_MAC'srcmacmask='$GATEWAY_MAC_MASK' /></rule><!-- allow traffic only to specified MAC address --><rule action='accept' direction='out'><mac match='yes' dstmacaddr='$GATEWAY_MAC'dstmacmask='$GATEWAY_MAC_MASK' /></rule><!-- preventing any other traffic than between specified MACsand ARP --><filterref filter='no-other-l2-traffic'/><!-- allow qemu to send a self-announce upon migration end --><filterref filter='qemu-announce-self'/></filter>--
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
