[libvirt-users] East-west traffic network filter
Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best wishes, Ales Musil [1] <filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/> <!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/> <!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter> -- ALES MUSIL INTERN - rhv network Red Hat EMEA <https://www.redhat.com/> amusil@redhat.com IM: amusil <https://red.ht/sig>
On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:
Hello,
I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?
Honestly I think the way you've done it is the right way. "clean-traffic" is best thought of as a simple demo. If it does what you need, great, but we'd expect people to create their own filters for anything more advanced. The clean-traffic rules were modularized so you can use <filterrefs> to avoid too much duplication. So what you've done looks fine to me.
[1] <filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
--
ALES MUSIL INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil@redhat.com IM: amusil <https://red.ht/sig>
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Thu, Jun 28, 2018 at 2:40 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:
Hello,
I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?
Honestly I think the way you've done it is the right way. "clean-traffic" is best thought of as a simple demo. If it does what you need, great, but we'd expect people to create their own filters for anything more advanced. The clean-traffic rules were modularized so you can use <filterrefs> to avoid too much duplication. So what you've done looks fine to me.
Alright, thank you.
[1]
<filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
--
ALES MUSIL INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil@redhat.com IM: amusil <https://red.ht/sig>
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
-- ALES MUSIL Associate Software Engineer - rhv network Red Hat EMEA <https://www.redhat.com/> amusil@redhat.com IM: amusil <https://red.ht/sig>
Hi Ales, I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours? Thank you. Thiago. Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com> escreveu:
Hello,
I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?
Thank you. Best wishes, Ales Musil
[1] <filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
--
ALES MUSIL INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil@redhat.com IM: amusil <https://red.ht/sig> _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote:
Hi Ales,
I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours?
Hi Thiago, so by definition guest from different subnets cannot talk to each other directly unless they are connected via some router. That means you don't need any filter for that. If there is a router between the networks and it is needed for some cases then you could change the filter I have posted to use IP restriction instead of MAC one e.g [2]. Have not tested it myself but it should work fine. Hopefully this helps. Regards, Ales. [1] <filter name='clean-traffic-ip-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/> <!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='drop' direction='in'> <ip match='yes' srcipaddr='$GATEWAY_IP' srcipmask='$GATEWAY_IP_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='drop' direction='out'> <ip match='yes' dstipaddr='$GATEWAY_IP' dstipmask='$GATEWAY_IP_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/> <!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
Thank you.
Thiago.
Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com> escreveu:
Hello,
I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?
Thank you. Best wishes, Ales Musil
[1] <filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
--
ALES MUSIL INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil@redhat.com IM: amusil <https://red.ht/sig> _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
-- ALES MUSIL Associate Software Engineer - rhv network Red Hat EMEA <https://www.redhat.com/> amusil@redhat.com IM: amusil <https://red.ht/sig>
Hi Ales, In fact the router is running at the same KVM host. Automatically the default gateway for both subnets are added when the subnet is created. I will try your sugestion and I would like to invite you to try too :) Thank you very much! Thiago Em seg, 2 de jul de 2018 06:05, Ales Musil <amusil@redhat.com> escreveu:
On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote:
Hi Ales,
I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours?
Hi Thiago,
so by definition guest from different subnets cannot talk to each other directly unless they are connected via some router. That means you don't need any filter for that. If there is a router between the networks and it is needed for some cases then you could change the filter I have posted to use IP restriction instead of MAC one e.g [2]. Have not tested it myself but it should work fine.
Hopefully this helps.
Regards, Ales.
[1] <filter name='clean-traffic-ip-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='drop' direction='in'> <ip match='yes' srcipaddr='$GATEWAY_IP' srcipmask='$GATEWAY_IP_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='drop' direction='out'> <ip match='yes' dstipaddr='$GATEWAY_IP' dstipmask='$GATEWAY_IP_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
Thank you.
Thiago.
Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com> escreveu:
Hello,
I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?
Thank you. Best wishes, Ales Musil
[1] <filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='accept' direction='in'> <mac match='yes' srcmacaddr='$GATEWAY_MAC' srcmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='accept' direction='out'> <mac match='yes' dstmacaddr='$GATEWAY_MAC' dstmacmask='$GATEWAY_MAC_MASK' /> </rule> <!-- preventing any other traffic than between specified MACs and ARP --> <filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>
--
ALES MUSIL INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil@redhat.com IM: amusil <https://red.ht/sig> _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
--
ALES MUSIL Associate Software Engineer - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil@redhat.com IM: amusil <https://red.ht/sig>
participants (3)
-
Ales Musil -
Daniel P. Berrangé -
Thiago Oliveira