Re: [libvirt-users] East-west traffic network filter

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago(a)gmail.com&gt; wrote: > Hi Ales, > > I would like to prevent the guests from different subnets start a > communication. In other words I have the subnet 192.168.1.0/24 and > 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with > guests on 192.168.2.0/24 at the same host. Is this possible using a > filter like yours? > > Hi Thiago, so by definition guest from different subnets cannot talk to each other directly unless they are connected via some router. That means you don't need any filter for that. If there is a router between the networks and it is needed for some cases then you could change the filter I have posted to use IP restriction instead of MAC one e.g [2]. Have not tested it myself but it should work fine. Hopefully this helps. Regards, Ales. [1] <filter name='clean-traffic-ip-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/> <!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='drop' direction='in'> <ip match='yes' srcipaddr='$GATEWAY_IP' srcipmask='$GATEWAY_IP_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='drop' direction='out'> <ip match='yes' dstipaddr='$GATEWAY_IP' dstipmask='$GATEWAY_IP_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/> <!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter> > Thank you. > > Thiago. > > Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil(a)redhat.com&gt; > escreveu: > >> Hello, >> >> I would like to make filter that allows communication only between >> specified VMs. Those VMs should be specified by their MAC address. The >> filter should extend clean-traffic but I was not able to get it working >> with that reference. I have came up with modified clean-traffic which works >> fine [1]. Is there a way to achieve the same behavior with reference to >> clean-traffic? >> >> Thank you. >> Best wishes, >> Ales Musil >> >> [1] >> <filter name='clean-traffic-gateway'> >> <!-- An example of a traffic filter enforcing clean traffic >> from a VM by >> - preventing MAC spoofing --> >> <filterref filter='no-mac-spoofing'/> >> >> <!-- preventing IP spoofing on outgoing --> >> <filterref filter='no-ip-spoofing'/> >> <!-- preventing ARP spoofing/poisoning --> >> <filterref filter='no-arp-spoofing'/> >> <!-- accept all other incoming and outgoing ARP traffic --> >> <rule action='accept' direction='inout' priority='-500'> >> <mac protocolid='arp'/> >> </rule> >> <!-- accept traffic only from specified MAC address --> >> <rule action='accept' direction='in'> >> <mac match='yes' srcmacaddr='$GATEWAY_MAC' >> srcmacmask='$GATEWAY_MAC_MASK' /> >> </rule> >> <!-- allow traffic only to specified MAC address --> >> <rule action='accept' direction='out'> >> <mac match='yes' dstmacaddr='$GATEWAY_MAC' >> dstmacmask='$GATEWAY_MAC_MASK' /> >> </rule> >> <!-- preventing any other traffic than between specified MACs >> and ARP --> >> <filterref filter='no-other-l2-traffic'/> >> >> <!-- allow qemu to send a self-announce upon migration end --> >> <filterref filter='qemu-announce-self'/> >> </filter> >> >> >> -- >> >> ALES MUSIL >> INTERN - rhv network >> >> Red Hat EMEA <https://www.redhat.com/> >> >> >> amusil(a)redhat.com IM: amusil >> <https://red.ht/sig> >> _______________________________________________ >> libvirt-users mailing list >> libvirt-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/libvirt-users > > -- ALES MUSIL Associate Software Engineer - rhv network Red Hat EMEA <https://www.redhat.com/> amusil(a)redhat.com IM: amusil <https://red.ht/sig>