On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote: > Hello, > I am currently investigating the possibility to implement MAC address > based filtering in libvirt and was wondering if there is any related > effort going on and what people in general would think about that. Great, we certainly need these feature > and the network to which I added a new XML element "filter" with > attribute "mac", which switches on the MAC address filtering: > > root@stenzel-desktop:/etc/libvirt/qemu# cat networks/mynet.xml > <network> > <name>mynet</name> > <uuid>920debe0-c3ef-4395-8241-ee82d4b49c2d</uuid> > <bridge name="br%d" stp="off"/> > <filter mac="on"/> > </network> > > the "filter" element is evaluated at startup of libvirtd and a generic > ebtables rules is generated (all frames are dropped): I think this extra XML element is probably redundant - we should always do MAC filtering at all times, on all bridges. Not simply those used in a virtual network, but also those connected to a real physical device too. I could see having a QEMU driver level configuration option in /etc/libvirt/qemu.conf though, to turn filtering on/off for the host as a whole though. > The current prototype implementation is based on the existing iptables > wrapper in libvirt. I basically cloned the iptables wrapper to an > ebtables wrapper and did some ebtables specific adjustments. There are > currenlty four occasions when the ebtables wrapper is called: > - when creating the network What do you do to ebtables at this point ? > - when adding a guest to the network > - when removing a guest from the network Isn't it sufficient to only use ebtables in these two places ? > - when destroying the network (currently not implemented) > These calls can be augmented to also do for example tagged vlan and > protocol filtering. We probably also want to be able todo IP address filtering too. ie, if the guest XML has an <ip address> element inside the <interface> then we should add rules to ensure only IP traffic matching that source/target address is allowed to pass out/in Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list