mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-19 22:21:27 +00:00
ed7813d28d
Qemu currently sends an Ethernet packet with protocol id 0x835 once a VM was successfully migrated. The content of the packet looks like a gratuitous RARP, just with the wrong protocol ID, which should be 0x8035. I wrote some filters to let either one of the packets pass and am adapting the clean-traffic sample filter to use it. I am also doing some changes on the existing ARP filter which was lacking a test for source MAC address.
21 lines
667 B
XML
21 lines
667 B
XML
<filter name='clean-traffic'>
|
|
<!-- An example of a traffic filter enforcing clean traffic
|
|
from a VM by
|
|
- preventing MAC spoofing -->
|
|
<filterref filter='no-mac-spoofing'/>
|
|
|
|
<!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
|
|
<filterref filter='no-ip-spoofing'/>
|
|
<filterref filter='allow-incoming-ipv4'/>
|
|
|
|
<!-- preventing ARP spoofing/poisoning -->
|
|
<filterref filter='no-arp-spoofing'/>
|
|
|
|
<!-- preventing any other traffic than IPv4 and ARP -->
|
|
<filterref filter='no-other-l2-traffic'/>
|
|
|
|
<!-- allow qemu to send a self-announce upon migration end -->
|
|
<filterref filter='qemu-announce-self'/>
|
|
|
|
</filter>
|