Re: East-west traffic network filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ales,

I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours?

Thank you.

Thiago.

Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@xxxxxxxxxx> escreveu:
Hello,

I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic?  

Thank you. 
Best wishes,
Ales Musil
 
[1] 
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
        from a VM by
      - preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
 
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
  <filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
  <rule action="" direction='inout' priority='-500'>
    <mac protocolid='arp'/>
  </rule>
<!-- accept traffic only from specified MAC address -->
<rule action="" direction='in'>
                <mac match='yes' srcmacaddr='$GATEWAY_MAC' 
srcmacmask='$GATEWAY_MAC_MASK' />
        </rule>
<!-- allow traffic only to specified MAC address -->
        <rule action="" direction='out'>
                <mac match='yes' dstmacaddr='$GATEWAY_MAC' 
dstmacmask='$GATEWAY_MAC_MASK' />
        </rule>
<!-- preventing any other traffic than between specified MACs 
and ARP -->
  <filterref filter='no-other-l2-traffic'/>

<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>


--

ALES MUSIL

INTERN - rhv network

Red Hat EMEA


amusil@xxxxxxxxxx   IM: amusil

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux