Hi Ales, In fact the router is running at the same KVM host. Automatically the default gateway for both subnets are added when the subnet is created. I will try your sugestion and I would like to invite you to try too :)
Thank you very much! Thiago Em seg, 2 de jul de 2018 06:05, Ales Musil <amu...@redhat.com> escreveu: > > > On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thi...@gmail.com> > wrote: > >> Hi Ales, >> >> I would like to prevent the guests from different subnets start a >> communication. In other words I have the subnet 192.168.1.0/24 and >> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with >> guests on 192.168.2.0/24 at the same host. Is this possible using a >> filter like yours? >> >> > Hi Thiago, > > so by definition guest from different subnets cannot talk to each other > directly unless they are connected via some router. That means you don't > need any filter for that. If there is a router between the networks and it > is needed for some cases then you could change the filter I have posted to > use IP restriction instead of MAC one e.g [2]. Have not tested it myself > but it should work fine. > > Hopefully this helps. > > Regards, > Ales. > > [1] > <filter name='clean-traffic-ip-gateway'> > <!-- An example of a traffic filter enforcing clean traffic > from a VM by > - preventing MAC spoofing --> > <filterref filter='no-mac-spoofing'/> > > <!-- preventing IP spoofing on outgoing --> > <filterref filter='no-ip-spoofing'/> > <!-- preventing ARP spoofing/poisoning --> > <filterref filter='no-arp-spoofing'/> > <!-- accept all other incoming and outgoing ARP traffic --> > <rule action='accept' direction='inout' priority='-500'> > <mac protocolid='arp'/> > </rule> > <!-- accept traffic only from specified MAC address --> > <rule action='drop' direction='in'> > <ip match='yes' srcipaddr='$GATEWAY_IP' > srcipmask='$GATEWAY_IP_MASK' /> > </rule> > <!-- allow traffic only to specified MAC address --> > <rule action='drop' direction='out'> > <ip match='yes' dstipaddr='$GATEWAY_IP' > dstipmask='$GATEWAY_IP_MASK' /> > </rule> > <!-- preventing any other traffic than between specified MACs > and ARP --> > <filterref filter='no-other-l2-traffic'/> > > <!-- allow qemu to send a self-announce upon migration end --> > <filterref filter='qemu-announce-self'/> > </filter> > > > > > > >> Thank you. >> >> Thiago. >> >> Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amu...@redhat.com> >> escreveu: >> >>> Hello, >>> >>> I would like to make filter that allows communication only between >>> specified VMs. Those VMs should be specified by their MAC address. The >>> filter should extend clean-traffic but I was not able to get it working >>> with that reference. I have came up with modified clean-traffic which works >>> fine [1]. Is there a way to achieve the same behavior with reference to >>> clean-traffic? >>> >>> Thank you. >>> Best wishes, >>> Ales Musil >>> >>> [1] >>> <filter name='clean-traffic-gateway'> >>> <!-- An example of a traffic filter enforcing clean traffic >>> from a VM by >>> - preventing MAC spoofing --> >>> <filterref filter='no-mac-spoofing'/> >>> >>> <!-- preventing IP spoofing on outgoing --> >>> <filterref filter='no-ip-spoofing'/> >>> <!-- preventing ARP spoofing/poisoning --> >>> <filterref filter='no-arp-spoofing'/> >>> <!-- accept all other incoming and outgoing ARP traffic --> >>> <rule action='accept' direction='inout' priority='-500'> >>> <mac protocolid='arp'/> >>> </rule> >>> <!-- accept traffic only from specified MAC address --> >>> <rule action='accept' direction='in'> >>> <mac match='yes' srcmacaddr='$GATEWAY_MAC' >>> srcmacmask='$GATEWAY_MAC_MASK' /> >>> </rule> >>> <!-- allow traffic only to specified MAC address --> >>> <rule action='accept' direction='out'> >>> <mac match='yes' dstmacaddr='$GATEWAY_MAC' >>> dstmacmask='$GATEWAY_MAC_MASK' /> >>> </rule> >>> <!-- preventing any other traffic than between specified MACs >>> and ARP --> >>> <filterref filter='no-other-l2-traffic'/> >>> >>> <!-- allow qemu to send a self-announce upon migration end --> >>> <filterref filter='qemu-announce-self'/> >>> </filter> >>> >>> >>> -- >>> >>> ALES MUSIL >>> INTERN - rhv network >>> >>> Red Hat EMEA <https://www.redhat.com/> >>> >>> >>> amu...@redhat.com IM: amusil >>> <https://red.ht/sig> >>> _______________________________________________ >>> libvirt-users mailing list >>> libvirt-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/libvirt-users >> >> > > -- > > ALES MUSIL > Associate Software Engineer - rhv network > > Red Hat EMEA <https://www.redhat.com/> > > > amu...@redhat.com IM: amusil > <https://red.ht/sig> >
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
