On Fri, Mar 31, 2017 at 12:11:40PM +0200, Richard Landsman - Rimote wrote:> Hi, > > I don't see why this should not work with the given solutions. But I'm > relatively new to KVM / libvirt. Alternative: > > Personally I use Shorewall (Shoreline FW) and bridge setups (also works with > a bonding interface). This way you can create zones, interfaces, addresses, > forwarding-rules etc and give per VM permission to let's say only use a > certain IP, only access certain parts of the network, talk to a certain > limited list of IPs etc. I can not imagine you can't create what you want > with Shorewall. It looks complicated, but actually is very intuitive if you > give it some time and effort. > > Please feel free to provide a better description of what you want to > accomplish. Maybe I misunderstand what you want to achieve. >Thanks Richard. But the problem is not Shorewall. I can use any Unix/Linux/BSD based distro to setup a firewall as a vm. The problem here is with the KVM host. I need to attach two physical interfaces to a guest and these phy interfaces have IP and routes assigned and I need to get them off the main routing table. And, why?. Because one of these interfaces is a wireless adapter and host's CPU doesn't support pci passthrough. -- Greetings, C. L. Martinez
On 31/03/17 15:55, C. L. Martinez wrote:> I need to attach two physical interfaces to a guest and these phy interfaces have IP and routes assigned and I need to get them off the main routing table.I do not understand this. You can attach a physical (or virtual, doesn't matter), interface to any given vm, without assigning routes or IPs to these interfaces directly. Just do the network configuration inside the vm, and the routing, well on your router? You will just need the route for the vm networks on your host, but what is your attack scenario to keep this separated from other routes on this host? you need at least CAP_NET_ADMIN to fiddle with those. -- Mit freundlichen Gr??en / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG K?nigsberger Stra?e 6 32339 Espelkamp T: +495772 293100 F: +495772 293333 https://www.mittwald.de Gesch?ftsf?hrer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplement?rin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20170331/1243210e/attachment-0002.sig>
On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote:> On 31/03/17 15:55, C. L. Martinez wrote: > > I need to attach two physical interfaces to a guest and these phy interfaces have IP and routes assigned and I need to get them off the main routing table. > > I do not understand this. > > You can attach a physical (or virtual, doesn't matter), interface to any > given vm, without assigning routes or IPs to these interfaces directly.No, I can't because this host doesn't support PCI passthrough. One of these interfaces is a wireless nic.> > Just do the network configuration inside the vm, and the routing, well > on your router? You will just need the route for the vm networks on your > host, but what is your attack scenario to keep this separated from other > routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.How? If the same host routes Internet traffic in the main routing table I expose host's services to Internet.> > -- > Mit freundlichen Gr??en / Regards > > Sven Kieske > > Systemadministrator > Mittwald CM Service GmbH & Co. KG > K?nigsberger Stra?e 6 > 32339 Espelkamp > T: +495772 293100 > F: +495772 293333 > https://www.mittwald.de > Gesch?ftsf?hrer: Robert Meyer > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen > Komplement?rin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen >> _______________________________________________ > CentOS-virt mailing list > CentOS-virt at centos.org > https://lists.centos.org/mailman/listinfo/centos-virt-- Greetings, C. L. Martinez