libvirt/examples/xml/nwfilter/clean-traffic-gateway.xml

<filter name='clean-traffic-gateway'>
    <!-- An example of a traffic filter enforcing clean traffic
            from a VM by
              - preventing MAC spoofing -->
    <filterref filter='no-mac-spoofing'/>

    <!-- preventing IP spoofing on outgoing -->
    <filterref filter='no-ip-spoofing'/>

    <!-- preventing ARP spoofing/poisoning -->
    <filterref filter='no-arp-spoofing'/>

    <!-- accept all other incoming and outgoing ARP traffic -->
    <rule action='accept' direction='inout' priority='-500'>
        <mac protocolid='arp'/>
    </rule>

    <!-- accept traffic only from specified MAC address -->
    <rule action='accept' direction='in'>
        <mac match='yes' srcmacaddr='$GATEWAY_MAC'/>
    </rule>

    <!-- allow traffic only to specified MAC address -->
    <rule action='accept' direction='out'>
        <mac match='yes' dstmacaddr='$GATEWAY_MAC'/>
    </rule>

    <!-- preventing any other traffic than between specified MACs
    and ARP -->
    <filterref filter='no-other-l2-traffic'/>

    <!-- allow qemu to send a self-announce upon migration end -->
    <filterref filter='qemu-announce-self'/>
</filter>
examples: Add clean-traffic-gateway into nwfilters The filter purpose is to simulate isolated private VLAN. The behavior can be achieved by limiting network traffic to traffic between VM and gateway. Because there is no concept of the PVLAN in the linux bridge. The filter also contains parts from clean-traffic to prevent VM from spoofing its IP and MAC address. To use this filter the user just needs to set the GATEWAY_MAC variable to gateway MAC address. Signed-off-by: Ales Musil <amusil@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com> 2018-07-18 08:33:03 +00:00			`<filter name='clean-traffic-gateway'>`
			`<!-- An example of a traffic filter enforcing clean traffic`
			`from a VM by`
			`- preventing MAC spoofing -->`
			`<filterref filter='no-mac-spoofing'/>`

			`<!-- preventing IP spoofing on outgoing -->`
			`<filterref filter='no-ip-spoofing'/>`

			`<!-- preventing ARP spoofing/poisoning -->`
			`<filterref filter='no-arp-spoofing'/>`

			`<!-- accept all other incoming and outgoing ARP traffic -->`
			`<rule action='accept' direction='inout' priority='-500'>`
			`<mac protocolid='arp'/>`
			`</rule>`

			`<!-- accept traffic only from specified MAC address -->`
			`<rule action='accept' direction='in'>`
			`<mac match='yes' srcmacaddr='$GATEWAY_MAC'/>`
			`</rule>`

			`<!-- allow traffic only to specified MAC address -->`
			`<rule action='accept' direction='out'>`
			`<mac match='yes' dstmacaddr='$GATEWAY_MAC'/>`
			`</rule>`

			`<!-- preventing any other traffic than between specified MACs`
			`and ARP -->`
			`<filterref filter='no-other-l2-traffic'/>`

			`<!-- allow qemu to send a self-announce upon migration end -->`
			`<filterref filter='qemu-announce-self'/>`
			`</filter>`