From nobody Wed May  1 05:08:11 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1531902818015147.43057271146574;
 Wed, 18 Jul 2018 01:33:38 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com
 [10.5.11.26])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 798C132B686;
	Wed, 18 Jul 2018 08:33:35 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B2B830012C2;
	Wed, 18 Jul 2018 08:33:34 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 959A81841C4A;
	Wed, 18 Jul 2018 08:33:31 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
	[10.11.54.6])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w6I8XUaa000386 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 18 Jul 2018 04:33:30 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 0DF5021568A1; Wed, 18 Jul 2018 08:33:30 +0000 (UTC)
Received: from amusil.remote.csb (unknown [10.34.130.113])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 7E77C2156899;
	Wed, 18 Jul 2018 08:33:29 +0000 (UTC)
From: Ales Musil <amusil@redhat.com>
To: libvir-list@redhat.com
Date: Wed, 18 Jul 2018 10:33:03 +0200
Message-Id: <1531902783-12164-1-git-send-email-amusil@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-loop: libvir-list@redhat.com
Cc: Ales Musil <amusil@redhat.com>
Subject: [libvirt] [PATCHv2] examples: Add clean-traffic-gateway into
	nwfilters
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Wed, 18 Jul 2018 08:33:36 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

The filter purpose is to simulate isolated private VLAN.

The behavior can be achieved by limiting network traffic
to traffic between VM and gateway. Because there is no
concept of the PVLAN in the linux bridge.

The filter also contains parts from clean-traffic
to prevent VM from spoofing its IP and MAC address.

To use this filter the user just needs to set
the GATEWAY_MAC variable to gateway MAC address.

Signed-off-by: Ales Musil <amusil@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
---
 examples/xml/nwfilter/clean-traffic-gateway.xml | 34 +++++++++++++++++++++=
++++
 1 file changed, 34 insertions(+)
 create mode 100644 examples/xml/nwfilter/clean-traffic-gateway.xml

diff --git a/examples/xml/nwfilter/clean-traffic-gateway.xml b/examples/xml=
/nwfilter/clean-traffic-gateway.xml
new file mode 100644
index 0000000..b8c2040
--- /dev/null
+++ b/examples/xml/nwfilter/clean-traffic-gateway.xml
@@ -0,0 +1,34 @@
+<filter name=3D'clean-traffic-gateway'>
+    <!-- An example of a traffic filter enforcing clean traffic
+            from a VM by
+              - preventing MAC spoofing -->
+    <filterref filter=3D'no-mac-spoofing'/>
+
+    <!-- preventing IP spoofing on outgoing -->
+    <filterref filter=3D'no-ip-spoofing'/>
+
+    <!-- preventing ARP spoofing/poisoning -->
+    <filterref filter=3D'no-arp-spoofing'/>
+
+    <!-- accept all other incoming and outgoing ARP traffic -->
+    <rule action=3D'accept' direction=3D'inout' priority=3D'-500'>
+        <mac protocolid=3D'arp'/>
+    </rule>
+
+    <!-- accept traffic only from specified MAC address -->
+    <rule action=3D'accept' direction=3D'in'>
+        <mac match=3D'yes' srcmacaddr=3D'$GATEWAY_MAC'/>
+    </rule>
+
+    <!-- allow traffic only to specified MAC address -->
+    <rule action=3D'accept' direction=3D'out'>
+        <mac match=3D'yes' dstmacaddr=3D'$GATEWAY_MAC'/>
+    </rule>
+
+    <!-- preventing any other traffic than between specified MACs
+    and ARP -->
+    <filterref filter=3D'no-other-l2-traffic'/>
+
+    <!-- allow qemu to send a self-announce upon migration end -->
+    <filterref filter=3D'qemu-announce-self'/>
+</filter>
--=20
1.8.3.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list