Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over
macvtap, and found no filtration applied except mac. 'virsh' just
silently
ignoring attributes 'filterref' and 'ip address' in different
formats. No
error on validate stage. Config examples:
...
<interface type='direct'>
<mac address='52:54:00:31:ae:1a'/>
<source dev='em1' mode='private'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.1.101.44'/>
</filterref>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
function='0x0'/>
</interface>
...
or like these:
...
<interface type='direct'>
<mac address='52:54:00:31:ae:1a'/>
<source dev='em1' mode='private'/>
<ip address='10.1.101.44'/>
<filterref filter='clean-traffic'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
function='0x0'/>
</interface>
...
With 'virsh create domain.xml', vm created, but dumpxml show that
filterref is disappeared.
I have not found any success stories with filtering rules and 'direct'
interface types. Is it supported with this type? Or may be other
tricks to protect network from vm spoofing and direct type?
-
vlad f halilov
On 11/19/2013 11:00 AM, vlad halilov wrote:> Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged > over macvtap, and found no filtration applied except mac. 'virsh' just > silently ignoring attributes 'filterref' and 'ip address' in different > formats. No error on validate stage. Config examples: > > ... > <interface type='direct'> > <mac address='52:54:00:31:ae:1a'/> > <source dev='em1' mode='private'/> > > <filterref filter='clean-traffic'> > <parameter name='IP' value='10.1.101.44'/> > </filterref> > > <model type='virtio'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > ... > > or like these: > > ... > <interface type='direct'> > <mac address='52:54:00:31:ae:1a'/> > <source dev='em1' mode='private'/> > <ip address='10.1.101.44'/> > <filterref filter='clean-traffic'/> > <model type='virtio'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > ... > > With 'virsh create domain.xml', vm created, but dumpxml show that > filterref is disappeared. > I have not found any success stories with filtering rules and 'direct' interface types. > Is it supported with this type? Or may be other tricks to protect network from vm spoofing > and direct type? >The kernel macvtap packet processing bypasses both iptables and ebtables, so libvirt's filters are ineffective for guest interfaces using a macvtap connection.
That's bad. So, no way to protect network from vm's ip spoofing using macvtap? On Tue, Nov 19, 2013 at 2:21 PM, Laine Stump <laine@laine.org> wrote:> > The kernel macvtap packet processing bypasses both iptables and > ebtables, so libvirt's filters are ineffective for guest interfaces > using a macvtap connection. > >