[v1] examples: Add clean-traffic-gateway into nwfilters

[libvirt] [PATCHv2] examples: Add clean-traffic-gateway into nwfilters

Posted by Ales Musil 5 years, 9 months ago

The filter purpose is to simulate isolated private VLAN.

The behavior can be achieved by limiting network traffic
to traffic between VM and gateway. Because there is no
concept of the PVLAN in the linux bridge.

The filter also contains parts from clean-traffic
to prevent VM from spoofing its IP and MAC address.

To use this filter the user just needs to set
the GATEWAY_MAC variable to gateway MAC address.

Signed-off-by: Ales Musil <amusil@redhat.com>
---
 examples/xml/nwfilter/clean-traffic-gateway.xml | 34 +++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 examples/xml/nwfilter/clean-traffic-gateway.xml

diff --git a/examples/xml/nwfilter/clean-traffic-gateway.xml b/examples/xml/nwfilter/clean-traffic-gateway.xml
new file mode 100644
index 0000000..b8c2040
--- /dev/null
+++ b/examples/xml/nwfilter/clean-traffic-gateway.xml
@@ -0,0 +1,34 @@
+<filter name='clean-traffic-gateway'>
+    <!-- An example of a traffic filter enforcing clean traffic
+            from a VM by
+              - preventing MAC spoofing -->
+    <filterref filter='no-mac-spoofing'/>
+
+    <!-- preventing IP spoofing on outgoing -->
+    <filterref filter='no-ip-spoofing'/>
+
+    <!-- preventing ARP spoofing/poisoning -->
+    <filterref filter='no-arp-spoofing'/>
+
+    <!-- accept all other incoming and outgoing ARP traffic -->
+    <rule action='accept' direction='inout' priority='-500'>
+        <mac protocolid='arp'/>
+    </rule>
+
+    <!-- accept traffic only from specified MAC address -->
+    <rule action='accept' direction='in'>
+        <mac match='yes' srcmacaddr='$GATEWAY_MAC'/>
+    </rule>
+
+    <!-- allow traffic only to specified MAC address -->
+    <rule action='accept' direction='out'>
+        <mac match='yes' dstmacaddr='$GATEWAY_MAC'/>
+    </rule>
+
+    <!-- preventing any other traffic than between specified MACs
+    and ARP -->
+    <filterref filter='no-other-l2-traffic'/>
+
+    <!-- allow qemu to send a self-announce upon migration end -->
+    <filterref filter='qemu-announce-self'/>
+</filter>
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv2] examples: Add clean-traffic-gateway into nwfilters

Posted by Martin Kletzander 5 years, 9 months ago

On Wed, Jul 18, 2018 at 10:33:03AM +0200, Ales Musil wrote:
>The filter purpose is to simulate isolated private VLAN.
>
>The behavior can be achieved by limiting network traffic
>to traffic between VM and gateway. Because there is no
>concept of the PVLAN in the linux bridge.
>
>The filter also contains parts from clean-traffic
>to prevent VM from spoofing its IP and MAC address.
>
>To use this filter the user just needs to set
>the GATEWAY_MAC variable to gateway MAC address.
>
>Signed-off-by: Ales Musil <amusil@redhat.com>
>---
> examples/xml/nwfilter/clean-traffic-gateway.xml | 34 +++++++++++++++++++++++++
> 1 file changed, 34 insertions(+)
> create mode 100644 examples/xml/nwfilter/clean-traffic-gateway.xml
>

Looks OK.

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>

And pushed.--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list