mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-08-28 03:21:19 +00:00
b81e44d6ac
The nwfilter XML configs are not merely examples, they are data that is actively shipped and used in production by users. Reviewed-by: Erik Skultety <eskultet@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
35 lines
1.1 KiB
XML
35 lines
1.1 KiB
XML
<filter name='clean-traffic-gateway'>
|
|
<!-- An example of a traffic filter enforcing clean traffic
|
|
from a VM by
|
|
- preventing MAC spoofing -->
|
|
<filterref filter='no-mac-spoofing'/>
|
|
|
|
<!-- preventing IP spoofing on outgoing -->
|
|
<filterref filter='no-ip-spoofing'/>
|
|
|
|
<!-- preventing ARP spoofing/poisoning -->
|
|
<filterref filter='no-arp-spoofing'/>
|
|
|
|
<!-- accept all other incoming and outgoing ARP traffic -->
|
|
<rule action='accept' direction='inout' priority='-500'>
|
|
<mac protocolid='arp'/>
|
|
</rule>
|
|
|
|
<!-- accept traffic only from specified MAC address -->
|
|
<rule action='accept' direction='in'>
|
|
<mac match='yes' srcmacaddr='$GATEWAY_MAC'/>
|
|
</rule>
|
|
|
|
<!-- allow traffic only to specified MAC address -->
|
|
<rule action='accept' direction='out'>
|
|
<mac match='yes' dstmacaddr='$GATEWAY_MAC'/>
|
|
</rule>
|
|
|
|
<!-- preventing any other traffic than between specified MACs
|
|
and ARP -->
|
|
<filterref filter='no-other-l2-traffic'/>
|
|
|
|
<!-- allow qemu to send a self-announce upon migration end -->
|
|
<filterref filter='qemu-announce-self'/>
|
|
</filter>
|