Hi Ales, I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours?
Thank you. Thiago. Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amu...@redhat.com> escreveu: > Hello, > > I would like to make filter that allows communication only between > specified VMs. Those VMs should be specified by their MAC address. The > filter should extend clean-traffic but I was not able to get it working > with that reference. I have came up with modified clean-traffic which works > fine [1]. Is there a way to achieve the same behavior with reference to > clean-traffic? > > Thank you. > Best wishes, > Ales Musil > > [1] > <filter name='clean-traffic-gateway'> > <!-- An example of a traffic filter enforcing clean traffic > from a VM by > - preventing MAC spoofing --> > <filterref filter='no-mac-spoofing'/> > > <!-- preventing IP spoofing on outgoing --> > <filterref filter='no-ip-spoofing'/> > <!-- preventing ARP spoofing/poisoning --> > <filterref filter='no-arp-spoofing'/> > <!-- accept all other incoming and outgoing ARP traffic --> > <rule action='accept' direction='inout' priority='-500'> > <mac protocolid='arp'/> > </rule> > <!-- accept traffic only from specified MAC address --> > <rule action='accept' direction='in'> > <mac match='yes' srcmacaddr='$GATEWAY_MAC' > srcmacmask='$GATEWAY_MAC_MASK' /> > </rule> > <!-- allow traffic only to specified MAC address --> > <rule action='accept' direction='out'> > <mac match='yes' dstmacaddr='$GATEWAY_MAC' > dstmacmask='$GATEWAY_MAC_MASK' /> > </rule> > <!-- preventing any other traffic than between specified MACs > and ARP --> > <filterref filter='no-other-l2-traffic'/> > > <!-- allow qemu to send a self-announce upon migration end --> > <filterref filter='qemu-announce-self'/> > </filter> > > > -- > > ALES MUSIL > INTERN - rhv network > > Red Hat EMEA <https://www.redhat.com/> > > > amu...@redhat.com IM: amusil > <https://red.ht/sig> > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
