On Thu, Jun 28, 2018 at 2:40 PM Daniel P. Berrangé <berra...@redhat.com> wrote:
> On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote: > > Hello, > > > > I would like to make filter that allows communication only between > > specified VMs. Those VMs should be specified by their MAC address. The > > filter should extend clean-traffic but I was not able to get it working > > with that reference. I have came up with modified clean-traffic which > works > > fine [1]. Is there a way to achieve the same behavior with reference to > > clean-traffic? > > Honestly I think the way you've done it is the right way. "clean-traffic" > is best thought of as a simple demo. If it does what you need, great, but > we'd expect people to create their own filters for anything more advanced. > The clean-traffic rules were modularized so you can use <filterrefs> to > avoid too much duplication. So what you've done looks fine to me. > > Alright, thank you. > [1] > > <filter name='clean-traffic-gateway'> > > <!-- An example of a traffic filter enforcing clean traffic > > from a VM by > > - preventing MAC spoofing --> > > <filterref filter='no-mac-spoofing'/> > > > > <!-- preventing IP spoofing on outgoing --> > > <filterref filter='no-ip-spoofing'/> > > <!-- preventing ARP spoofing/poisoning --> > > <filterref filter='no-arp-spoofing'/> > > <!-- accept all other incoming and outgoing ARP traffic --> > > <rule action='accept' direction='inout' priority='-500'> > > <mac protocolid='arp'/> > > </rule> > > <!-- accept traffic only from specified MAC address --> > > <rule action='accept' direction='in'> > > <mac match='yes' srcmacaddr='$GATEWAY_MAC' > > srcmacmask='$GATEWAY_MAC_MASK' /> > > </rule> > > <!-- allow traffic only to specified MAC address --> > > <rule action='accept' direction='out'> > > <mac match='yes' dstmacaddr='$GATEWAY_MAC' > > dstmacmask='$GATEWAY_MAC_MASK' /> > > </rule> > > <!-- preventing any other traffic than between specified MACs > > and ARP --> > > <filterref filter='no-other-l2-traffic'/> > > > > <!-- allow qemu to send a self-announce upon migration end --> > > <filterref filter='qemu-announce-self'/> > > </filter> > > > > > > -- > > > > ALES MUSIL > > INTERN - rhv network > > > > Red Hat EMEA <https://www.redhat.com/> > > > > > > amu...@redhat.com IM: amusil > > <https://red.ht/sig> > > > _______________________________________________ > > libvirt-users mailing list > > libvirt-users@redhat.com > > https://www.redhat.com/mailman/listinfo/libvirt-users > > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :| > -- ALES MUSIL Associate Software Engineer - rhv network Red Hat EMEA <https://www.redhat.com/> amu...@redhat.com IM: amusil <https://red.ht/sig>
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
