Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 22, 2010 at 01:45:20PM +0100, Gerhard Stenzel wrote:
> 
> Hi, here is a preview of a chapter which is eventually intended for the
> libvirt application development guide. It is not final yet, but I feel
> now would be a good moment to gather some first feedback and to
> "finalise" the XML schema which is used in the examples.

Thanks, this  is a good idea !

> 
> ------------------------------------------------------------------------
> 
> 1. Network Filter
> 
>       1.1. Overview
> 
>       1.2. XML Filter Description Format
> 
>             1.2.1. Complex Filter
> 
>             1.2.2. Simple Filters
> 
>       1.3. Retrieving Information About Filter
> 
>             1.3.1. TBD
> 
> 
> Chapter 1. Network Filter
> ---------------------------
> 
> 1.1. Overview
> 
> 1.2. XML Filter Description Format
> 
>       1.2.1. Complex Filter
> 
>       1.2.2. Simple Filters
> 
> 1.3. Retrieving Information About Filter
> 
>       1.3.1. TBD
> 
> This section covers the management and definition of network filters
> using the libvirt API.
> 
> 
> 
> 
> 1.2.2. Simple Filters
> 
> The following examples of simple filters are predefined and address
> distint filter requirements. The predefined no-arp-spoofing filter drops
> all ARP packets
> 
>   *  originating from the guest if they contain other than the guests IP
>     or MAC address
> 
>   *  destined for the guest if they contain other than the guests IP or
>     MAC address
> 
> It accepts all request or reply ARP packets.
> 
>           <filter name='no-arp-spoofing' chain='arp'>

Perhaps we should call that 'chain' attribute 'protocol' instead since
that appears to be what you're representing there. I'm wondering how
this should interact with the <filterref> element. eg, you might have
chain='ipv4' on the main filter, and then a <filterref> pointing to
a chain='arp'.  One way would be to declare that a <filter> can contain
either <rule> or <filterref>, but not a mixture of both.

>    <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
>    
>    <!-- no arp spoofing -->
>    <!-- drop if ipaddr or macaddr does not belong to guest -->
>    <rule action='drop' direction='out'>
>        <arp match='no' srcmacaddr='$MAC'/>
>    </rule>
>    <rule action='drop' direction='out'>
>        <arp match='no' srcipaddr='$IP' />
>    </rule>
>    <!-- drop if ipaddr or macaddr odes not belong to guest -->
>    <rule action='drop' direction='in'>
>        <arp match='no' dstmacaddr='$MAC'/>
>    </rule>
>    <rule action='drop' direction='in'>
>        <arp match='no' dstipaddr='$IP' />
>    </rule>
>    <!-- accept only request or reply packets -->
>    <rule action='accept' direction='inout'>
>        <arp opcode='request'/>
>    </rule>
>    <rule action='accept' direction='inout'>
>        <arp opcode='reply'/>
>    </rule>
>    <!-- drop everything else -->
>    <rule action='drop' direction='inout'/>
> </filter>


Generally, your proposal looks good to me.

Regards,
Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]