With new filters borrowed from David Steven's submission: A set of new filters to handle multiple IP addresses and MAC addresses per interface. The alternative would be to replace some of the existing ones with these here. Signed-off-by: David L Stevens <dlstevens@xxxxxxxxxx> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> --- examples/xml/nwfilter/Makefile.am | 6 +++++ examples/xml/nwfilter/clean-traffic-new.xml | 29 ++++++++++++++++++++++++++ examples/xml/nwfilter/no-arp-spoofing-new.xml | 4 +++ examples/xml/nwfilter/no-arpip-spoofing.xml | 12 ++++++++++ examples/xml/nwfilter/no-arpmac-spoofing.xml | 8 +++++++ examples/xml/nwfilter/no-ip-spoofing-new.xml | 5 ++++ examples/xml/nwfilter/no-mac-spoofing-new.xml | 10 ++++++++ 7 files changed, 74 insertions(+) Index: libvirt-acl/examples/xml/nwfilter/Makefile.am =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/Makefile.am +++ libvirt-acl/examples/xml/nwfilter/Makefile.am @@ -8,11 +8,17 @@ FILTERS = \ allow-incoming-ipv4.xml \ allow-ipv4.xml \ clean-traffic.xml \ + clean-traffic-new.xml \ no-arp-spoofing.xml \ + no-arp-spoofing-new.xml \ + no-arpip-spoofing.xml \ + no-arpmac-spoofing.xml \ no-ip-multicast.xml \ no-ip-spoofing.xml \ + no-ip-spoofing-new.xml \ no-mac-broadcast.xml \ no-mac-spoofing.xml \ + no-mac-spoofing-new.xml \ no-other-l2-traffic.xml \ no-other-rarp-traffic.xml \ qemu-announce-self.xml \ Index: libvirt-acl/examples/xml/nwfilter/no-arpip-spoofing.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-arpip-spoofing.xml @@ -0,0 +1,12 @@ +<filter name='no-arpip-spoofing' chain='arpip' priority='-510'> + <!-- no arp spoofing --> + <!-- drop if ipaddr does not belong to guest --> + <rule action='return' direction='out' priority='400' > + <arp match='yes' arpsrcipaddr='$IP' /> + </rule> + <rule action='return' direction='out' priority='410' > + <arp match='yes' arpsrcipaddr='0.0.0.0' /> + </rule> + <!-- drop everything else --> + <rule action='drop' direction='out' priority='1000' /> +</filter> Index: libvirt-acl/examples/xml/nwfilter/no-arpmac-spoofing.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-arpmac-spoofing.xml @@ -0,0 +1,8 @@ +<filter name='no-arpmac-spoofing' chain='arpmac' priority='-510'> + <rule action='return' direction='out' priority='350' > + <arp match='yes' arpsrcmacaddr='$MAC'/> + </rule> + <!-- drop everything else --> + <rule action='drop' direction='out' priority='1000' /> +</filter> + Index: libvirt-acl/examples/xml/nwfilter/clean-traffic-new.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/clean-traffic-new.xml @@ -0,0 +1,29 @@ +<filter name='clean-traffic-new' chain='root'> + <!-- An example of a traffic filter enforcing clean traffic + from a VM by + - preventing MAC spoofing --> + <filterref filter='no-mac-spoofing-new'/> + + <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming --> + <filterref filter='no-ip-spoofing-new'/> + + <rule direction='out' action='accept' priority='-750'> + <mac protocolid='ipv4'/> + </rule> + + <filterref filter='allow-incoming-ipv4'/> + + <!-- preventing ARP spoofing/poisoning --> + <filterref filter='no-arp-spoofing-new'/> + + <rule direction='out' action='accept' priority='-550'> + <mac protocolid='arp'/> + </rule> + + <!-- preventing any other traffic than IPv4 and ARP --> + <filterref filter='no-other-l2-traffic'/> + + <!-- allow qemu to send a self-announce upon migration end --> + <filterref filter='qemu-announce-self'/> + +</filter> Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing-new.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing-new.xml @@ -0,0 +1,4 @@ +<filter name='no-arp-spoofing-new'> + <filterref filter='no-arpmac-spoofing'/> + <filterref filter='no-arpip-spoofing'/> +</filter> Index: libvirt-acl/examples/xml/nwfilter/no-mac-spoofing-new.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-mac-spoofing-new.xml @@ -0,0 +1,10 @@ +<filter name='no-mac-spoofing-new' chain='mac' priority='-800'> + <!-- return packets with VM's MAC address as source address --> + <rule direction='out' action='return'> + <mac srcmacaddr='$MAC'/> + </rule> + <!-- drop everything else --> + <rule direction='out' action='drop'> + <mac/> + </rule> +</filter> Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing-new.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing-new.xml @@ -0,0 +1,5 @@ +<filter name='no-ip-spoofing-new' chain='ipv4-ip' priority='-710'> + <rule direction='out' action='return'> + <ip match='yes' srcipaddr='$IP'/> + </rule> +</filter> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list