Discussion:
[libvirt-users] East-west traffic network filter
Ales Musil
2018-06-28 08:18:57 UTC
Permalink
Hello,

I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?

Thank you.
Best wishes,
Ales Musil

[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>

<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>

<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network

Red Hat EMEA <https://www.redhat.com/>


***@redhat.com IM: amusil
<https://red.ht/sig>
Daniel P. Berrangé
2018-06-28 12:40:35 UTC
Permalink
Post by Ales Musil
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Honestly I think the way you've done it is the right way. "clean-traffic"
is best thought of as a simple demo. If it does what you need, great, but
we'd expect people to create their own filters for anything more advanced.
The clean-traffic rules were modularized so you can use <filterrefs> to
avoid too much duplication. So what you've done looks fine to me.
Post by Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
https://www.redhat.com/mailman/listinfo/libvirt-users
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Ales Musil
2018-07-02 08:55:53 UTC
Permalink
Post by Daniel P. Berrangé
Post by Ales Musil
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which
works
Post by Ales Musil
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Honestly I think the way you've done it is the right way. "clean-traffic"
is best thought of as a simple demo. If it does what you need, great, but
we'd expect people to create their own filters for anything more advanced.
The clean-traffic rules were modularized so you can use <filterrefs> to
avoid too much duplication. So what you've done looks fine to me.
Alright, thank you.
Post by Daniel P. Berrangé
[1]
Post by Ales Musil
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
https://www.redhat.com/mailman/listinfo/libvirt-users
Regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-
https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
--
ALES MUSIL
Associate Software Engineer - rhv network

Red Hat EMEA <https://www.redhat.com/>


***@redhat.com IM: amusil
<https://red.ht/sig>
Thiago Oliveira
2018-06-29 01:39:54 UTC
Permalink
Hi Ales,

I would like to prevent the guests from different subnets start a
communication. In other words I have the subnet 192.168.1.0/24 and
192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
guests on 192.168.2.0/24 at the same host. Is this possible using a filter
like yours?

Thank you.

Thiago.
Post by Ales Musil
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best wishes,
Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
https://www.redhat.com/mailman/listinfo/libvirt-users
Ales Musil
2018-07-02 09:05:48 UTC
Permalink
Post by Thiago Oliveira
Hi Ales,
I would like to prevent the guests from different subnets start a
communication. In other words I have the subnet 192.168.1.0/24 and
192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
guests on 192.168.2.0/24 at the same host. Is this possible using a
filter like yours?
Hi Thiago,

so by definition guest from different subnets cannot talk to each other
directly unless they are connected via some router. That means you don't
need any filter for that. If there is a router between the networks and it
is needed for some cases then you could change the filter I have posted to
use IP restriction instead of MAC one e.g [2]. Have not tested it myself
but it should work fine.

Hopefully this helps.

Regards,
Ales.

[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>

<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
<ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='drop' direction='out'>
<ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>

<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
Post by Thiago Oliveira
Thank you.
Thiago.
Post by Ales Musil
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best wishes,
Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
https://www.redhat.com/mailman/listinfo/libvirt-users
--
ALES MUSIL
Associate Software Engineer - rhv network

Red Hat EMEA <https://www.redhat.com/>


***@redhat.com IM: amusil
<https://red.ht/sig>
Thiago Oliveira
2018-07-03 02:10:44 UTC
Permalink
Hi Ales,

In fact the router is running at the same KVM host. Automatically the
default gateway for both subnets are added when the subnet is created. I
will try your sugestion and I would like to invite you to try too :)

Thank you very much!

Thiago
Post by Ales Musil
Post by Thiago Oliveira
Hi Ales,
I would like to prevent the guests from different subnets start a
communication. In other words I have the subnet 192.168.1.0/24 and
192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
guests on 192.168.2.0/24 at the same host. Is this possible using a
filter like yours?
Hi Thiago,
so by definition guest from different subnets cannot talk to each other
directly unless they are connected via some router. That means you don't
need any filter for that. If there is a router between the networks and it
is needed for some cases then you could change the filter I have posted to
use IP restriction instead of MAC one e.g [2]. Have not tested it myself
but it should work fine.
Hopefully this helps.
Regards,
Ales.
[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
<ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='drop' direction='out'>
<ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
Post by Thiago Oliveira
Thank you.
Thiago.
Post by Ales Musil
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best wishes,
Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
_______________________________________________
libvirt-users mailing list
https://www.redhat.com/mailman/listinfo/libvirt-users
--
ALES MUSIL
Associate Software Engineer - rhv network
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
Continue reading on narkive:
Loading...