On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thi...@gmail.com>
wrote:
> Hi Ales,
>
> I would like to prevent the guests from different subnets start a
> communication. In other words I have the subnet 192.168.1.0/24 and
> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
> guests on 192.168.2.0/24 at the same host. Is this possible using a
> filter like yours?
>
>
Hi Thiago,
so by definition guest from different subnets cannot talk to each other
directly unless they are connected via some router. That means you don't
need any filter for that. If there is a router between the networks and it
is needed for some cases then you could change the filter I have posted to
use IP restriction instead of MAC one e.g [2]. Have not tested it myself
but it should work fine.
Hopefully this helps.
Regards,
Ales.
[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
<ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='drop' direction='out'>
<ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
> Thank you.
>
> Thiago.
>
> Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amu...@redhat.com>
> escreveu:
>
>> Hello,
>>
>> I would like to make filter that allows communication only between
>> specified VMs. Those VMs should be specified by their MAC address. The
>> filter should extend clean-traffic but I was not able to get it working
>> with that reference. I have came up with modified clean-traffic which works
>> fine [1]. Is there a way to achieve the same behavior with reference to
>> clean-traffic?
>>
>> Thank you.
>> Best wishes,
>> Ales Musil
>>
>> [1]
>> <filter name='clean-traffic-gateway'>
>> <!-- An example of a traffic filter enforcing clean traffic
>> from a VM by
>> - preventing MAC spoofing -->
>> <filterref filter='no-mac-spoofing'/>
>>
>> <!-- preventing IP spoofing on outgoing -->
>> <filterref filter='no-ip-spoofing'/>
>> <!-- preventing ARP spoofing/poisoning -->
>> <filterref filter='no-arp-spoofing'/>
>> <!-- accept all other incoming and outgoing ARP traffic -->
>> <rule action='accept' direction='inout' priority='-500'>
>> <mac protocolid='arp'/>
>> </rule>
>> <!-- accept traffic only from specified MAC address -->
>> <rule action='accept' direction='in'>
>> <mac match='yes' srcmacaddr='$GATEWAY_MAC'
>> srcmacmask='$GATEWAY_MAC_MASK' />
>> </rule>
>> <!-- allow traffic only to specified MAC address -->
>> <rule action='accept' direction='out'>
>> <mac match='yes' dstmacaddr='$GATEWAY_MAC'
>> dstmacmask='$GATEWAY_MAC_MASK' />
>> </rule>
>> <!-- preventing any other traffic than between specified MACs
>> and ARP -->
>> <filterref filter='no-other-l2-traffic'/>
>>
>> <!-- allow qemu to send a self-announce upon migration end -->
>> <filterref filter='qemu-announce-self'/>
>> </filter>
>>
>>
>> --
>>
>> ALES MUSIL
>> INTERN - rhv network
>>
>> Red Hat EMEA <https://www.redhat.com/>
>>
>>
>> amu...@redhat.com IM: amusil
>> <https://red.ht/sig>
>> _______________________________________________
>> libvirt-users mailing list
>> libvirt-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/libvirt-users
>
>
--
ALES MUSIL
Associate Software Engineer - rhv network
Red Hat EMEA <https://www.redhat.com/>
amu...@redhat.com IM: amusil
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
