4:18 p.m.
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best wishes,
Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
8:40 p.m.
On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Honestly I think the way you've done it is the right way. "clean-traffic"
is best thought of as a simple demo. If it does what you need, great, but
we'd expect people to create their own filters for anything more advanced.
The clean-traffic rules were modularized so you can use <filterrefs> to
avoid too much duplication. So what you've done looks fine to me.
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
libvirt-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
4:55 p.m.
On Thu, Jun 28, 2018 at 2:40 PM Daniel P. Berrangé <berrange(a)redhat.com>
wrote:
On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:
> Hello,
>
> I would like to make filter that allows communication only between
> specified VMs. Those VMs should be specified by their MAC address. The
> filter should extend clean-traffic but I was not able to get it working
> with that reference. I have came up with modified clean-traffic which
works
> fine [1]. Is there a way to achieve the same behavior with reference to
> clean-traffic?
Honestly I think the way you've done it is the right way. "clean-traffic"
is best thought of as a simple demo. If it does what you need, great, but
we'd expect people to create their own filters for anything more advanced.
The clean-traffic rules were modularized so you can use <filterrefs> to
avoid too much duplication. So what you've done looks fine to me.
Alright, thank you.
[1]
> <filter name='clean-traffic-gateway'>
> <!-- An example of a traffic filter enforcing clean traffic
> from a VM by
> - preventing MAC spoofing -->
> <filterref filter='no-mac-spoofing'/>
>
> <!-- preventing IP spoofing on outgoing -->
> <filterref filter='no-ip-spoofing'/>
> <!-- preventing ARP spoofing/poisoning -->
> <filterref filter='no-arp-spoofing'/>
> <!-- accept all other incoming and outgoing ARP traffic -->
> <rule action='accept' direction='inout'
priority='-500'>
> <mac protocolid='arp'/>
> </rule>
> <!-- accept traffic only from specified MAC address -->
> <rule action='accept' direction='in'>
> <mac match='yes' srcmacaddr='$GATEWAY_MAC'
> srcmacmask='$GATEWAY_MAC_MASK' />
> </rule>
> <!-- allow traffic only to specified MAC address -->
> <rule action='accept' direction='out'>
> <mac match='yes' dstmacaddr='$GATEWAY_MAC'
> dstmacmask='$GATEWAY_MAC_MASK' />
> </rule>
> <!-- preventing any other traffic than between specified MACs
> and ARP -->
> <filterref filter='no-other-l2-traffic'/>
>
> <!-- allow qemu to send a self-announce upon migration end -->
> <filterref filter='qemu-announce-self'/>
> </filter>
>
>
> --
>
> ALES MUSIL
> INTERN - rhv network
>
> Red Hat EMEA <https://www.redhat.com/>
>
>
> amusil(a)redhat.com IM: amusil
> <https://red.ht/sig>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
Regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-
https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
--
ALES MUSIL
Associate Software Engineer - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
9:39 a.m.
Hi Ales,
I would like to prevent the guests from different subnets start a
communication. In other words I have the subnet 192.168.1.0/24 and
192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
guests on 192.168.2.0/24 at the same host. Is this possible using a filter
like yours?
Thank you.
Thiago.
Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil(a)redhat.com> escreveu:
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best wishes,
Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
libvirt-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
5:05 p.m.
On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago(a)gmail.com>
wrote:
Hi Ales,
I would like to prevent the guests from different subnets start a
communication. In other words I have the subnet 192.168.1.0/24 and
192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
guests on 192.168.2.0/24 at the same host. Is this possible using a
filter like yours?
Hi Thiago,
so by definition guest from different subnets cannot talk to each other
directly unless they are connected via some router. That means you don't
need any filter for that. If there is a router between the networks and it
is needed for some cases then you could change the filter I have posted to
use IP restriction instead of MAC one e.g [2]. Have not tested it myself
but it should work fine.
Hopefully this helps.
Regards,
Ales.
[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
<ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='drop' direction='out'>
<ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
Thank you.
Thiago.
Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil(a)redhat.com>
escreveu:
> Hello,
>
> I would like to make filter that allows communication only between
> specified VMs. Those VMs should be specified by their MAC address. The
> filter should extend clean-traffic but I was not able to get it working
> with that reference. I have came up with modified clean-traffic which works
> fine [1]. Is there a way to achieve the same behavior with reference to
> clean-traffic?
>
> Thank you.
> Best wishes,
> Ales Musil
>
> [1]
> <filter name='clean-traffic-gateway'>
> <!-- An example of a traffic filter enforcing clean traffic
> from a VM by
> - preventing MAC spoofing -->
> <filterref filter='no-mac-spoofing'/>
>
> <!-- preventing IP spoofing on outgoing -->
> <filterref filter='no-ip-spoofing'/>
> <!-- preventing ARP spoofing/poisoning -->
> <filterref filter='no-arp-spoofing'/>
> <!-- accept all other incoming and outgoing ARP traffic -->
> <rule action='accept' direction='inout'
priority='-500'>
> <mac protocolid='arp'/>
> </rule>
> <!-- accept traffic only from specified MAC address -->
> <rule action='accept' direction='in'>
> <mac match='yes' srcmacaddr='$GATEWAY_MAC'
> srcmacmask='$GATEWAY_MAC_MASK' />
> </rule>
> <!-- allow traffic only to specified MAC address -->
> <rule action='accept' direction='out'>
> <mac match='yes' dstmacaddr='$GATEWAY_MAC'
> dstmacmask='$GATEWAY_MAC_MASK' />
> </rule>
> <!-- preventing any other traffic than between specified MACs
> and ARP -->
> <filterref filter='no-other-l2-traffic'/>
>
> <!-- allow qemu to send a self-announce upon migration end -->
> <filterref filter='qemu-announce-self'/>
> </filter>
>
>
> --
>
> ALES MUSIL
> INTERN - rhv network
>
> Red Hat EMEA <https://www.redhat.com/>
>
>
> amusil(a)redhat.com IM: amusil
> <https://red.ht/sig>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
--
ALES MUSIL
Associate Software Engineer - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
10:10 a.m.
Hi Ales,
In fact the router is running at the same KVM host. Automatically the
default gateway for both subnets are added when the subnet is created. I
will try your sugestion and I would like to invite you to try too :)
Thank you very much!
Thiago
Em seg, 2 de jul de 2018 06:05, Ales Musil <amusil(a)redhat.com> escreveu:
On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago(a)gmail.com>
wrote:
> Hi Ales,
>
> I would like to prevent the guests from different subnets start a
> communication. In other words I have the subnet 192.168.1.0/24 and
> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
> guests on 192.168.2.0/24 at the same host. Is this possible using a
> filter like yours?
>
>
Hi Thiago,
so by definition guest from different subnets cannot talk to each other
directly unless they are connected via some router. That means you don't
need any filter for that. If there is a router between the networks and it
is needed for some cases then you could change the filter I have posted to
use IP restriction instead of MAC one e.g [2]. Have not tested it myself
but it should work fine.
Hopefully this helps.
Regards,
Ales.
[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout'
priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
<ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='drop' direction='out'>
<ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
> Thank you.
>
> Thiago.
>
> Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil(a)redhat.com>
> escreveu:
>
>> Hello,
>>
>> I would like to make filter that allows communication only between
>> specified VMs. Those VMs should be specified by their MAC address. The
>> filter should extend clean-traffic but I was not able to get it working
>> with that reference. I have came up with modified clean-traffic which works
>> fine [1]. Is there a way to achieve the same behavior with reference to
>> clean-traffic?
>>
>> Thank you.
>> Best wishes,
>> Ales Musil
>>
>> [1]
>> <filter name='clean-traffic-gateway'>
>> <!-- An example of a traffic filter enforcing clean traffic
>> from a VM by
>> - preventing MAC spoofing -->
>> <filterref filter='no-mac-spoofing'/>
>>
>> <!-- preventing IP spoofing on outgoing -->
>> <filterref filter='no-ip-spoofing'/>
>> <!-- preventing ARP spoofing/poisoning -->
>> <filterref filter='no-arp-spoofing'/>
>> <!-- accept all other incoming and outgoing ARP traffic -->
>> <rule action='accept' direction='inout'
priority='-500'>
>> <mac protocolid='arp'/>
>> </rule>
>> <!-- accept traffic only from specified MAC address -->
>> <rule action='accept' direction='in'>
>> <mac match='yes' srcmacaddr='$GATEWAY_MAC'
>> srcmacmask='$GATEWAY_MAC_MASK' />
>> </rule>
>> <!-- allow traffic only to specified MAC address -->
>> <rule action='accept' direction='out'>
>> <mac match='yes' dstmacaddr='$GATEWAY_MAC'
>> dstmacmask='$GATEWAY_MAC_MASK' />
>> </rule>
>> <!-- preventing any other traffic than between specified MACs
>> and ARP -->
>> <filterref filter='no-other-l2-traffic'/>
>>
>> <!-- allow qemu to send a self-announce upon migration end -->
>> <filterref filter='qemu-announce-self'/>
>> </filter>
>>
>>
>> --
>>
>> ALES MUSIL
>> INTERN - rhv network
>>
>> Red Hat EMEA <https://www.redhat.com/>
>>
>>
>> amusil(a)redhat.com IM: amusil
>> <https://red.ht/sig>
>> _______________________________________________
>> libvirt-users mailing list
>> libvirt-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/libvirt-users
>
>
--
ALES MUSIL
Associate Software Engineer - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
2258
days inactive
2263
days old
5 comments
3 participants
participants (3)
-
Ales Musil -
Daniel P. Berrangé -
Thiago Oliveira