libvirt users - Jul 2018 - Re: East-west traffic network filter

Hello,

I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?

Thank you.
Best wishes,
Ales Musil

[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
        from a VM by
      - preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>

<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
  <filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
  <rule action='accept' direction='inout'
priority='-500'>
    <mac protocolid='arp'/>
  </rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
                <mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
        </rule>
<!-- allow traffic only to specified MAC address -->
        <rule action='accept' direction='out'>
                <mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
        </rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
  <filterref filter='no-other-l2-traffic'/>

<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>


-- 

ALES MUSIL
INTERN - rhv network

Red Hat EMEA <https://www.redhat.com/>


amusil@redhat.com   IM: amusil
<https://red.ht/sig>

On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil
wrote:
> Hello,
> 
> I would like to make filter that allows communication only between
> specified VMs. Those VMs should be specified by their MAC address. The
> filter should extend clean-traffic but I was not able to get it working
> with that reference. I have came up with modified clean-traffic which works
> fine [1]. Is there a way to achieve the same behavior with reference to
> clean-traffic?
Honestly I think the way you've done it is the right way.
"clean-traffic"
is best thought of as a simple demo. If it does what you need, great, but
we'd expect people to create their own filters for anything more advanced.
The clean-traffic rules were modularized so you can use <filterrefs> to
avoid too much duplication. So what you've done looks fine to me.
> [1]
> <filter name='clean-traffic-gateway'>
> <!-- An example of a traffic filter enforcing clean traffic
>         from a VM by
>       - preventing MAC spoofing -->
> <filterref filter='no-mac-spoofing'/>
> 
> <!-- preventing IP spoofing on outgoing -->
> <filterref filter='no-ip-spoofing'/>
> <!-- preventing ARP spoofing/poisoning -->
>   <filterref filter='no-arp-spoofing'/>
> <!-- accept all other incoming and outgoing ARP traffic -->
>   <rule action='accept' direction='inout'
priority='-500'>
>     <mac protocolid='arp'/>
>   </rule>
> <!-- accept traffic only from specified MAC address -->
> <rule action='accept' direction='in'>
>                 <mac match='yes'
srcmacaddr='$GATEWAY_MAC'
> srcmacmask='$GATEWAY_MAC_MASK' />
>         </rule>
> <!-- allow traffic only to specified MAC address -->
>         <rule action='accept' direction='out'>
>                 <mac match='yes'
dstmacaddr='$GATEWAY_MAC'
> dstmacmask='$GATEWAY_MAC_MASK' />
>         </rule>
> <!-- preventing any other traffic than between specified MACs
> and ARP -->
>   <filterref filter='no-other-l2-traffic'/>
> 
> <!-- allow qemu to send a self-announce upon migration end -->
> <filterref filter='qemu-announce-self'/>
> </filter>
> 
> 
> -- 
> 
> ALES MUSIL
> INTERN - rhv network
> 
> Red Hat EMEA <https://www.redhat.com/>
> 
> 
> amusil@redhat.com   IM: amusil
> <https://red.ht/sig>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users@redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Hi Ales,

I would like to prevent the guests from different subnets start a
communication. In other words I have the subnet 192.168.1.0/24 and
192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
guests on 192.168.2.0/24 at the same host. Is this possible using a filter
like yours?

Thank you.

Thiago.

Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com>
escreveu:
> Hello,
>
> I would like to make filter that allows communication only between
> specified VMs. Those VMs should be specified by their MAC address. The
> filter should extend clean-traffic but I was not able to get it working
> with that reference. I have came up with modified clean-traffic which works
> fine [1]. Is there a way to achieve the same behavior with reference to
> clean-traffic?
>
> Thank you.
> Best wishes,
> Ales Musil
>
> [1]
> <filter name='clean-traffic-gateway'>
> <!-- An example of a traffic filter enforcing clean traffic
>         from a VM by
>       - preventing MAC spoofing -->
> <filterref filter='no-mac-spoofing'/>
>
> <!-- preventing IP spoofing on outgoing -->
> <filterref filter='no-ip-spoofing'/>
> <!-- preventing ARP spoofing/poisoning -->
>   <filterref filter='no-arp-spoofing'/>
> <!-- accept all other incoming and outgoing ARP traffic -->
>   <rule action='accept' direction='inout'
priority='-500'>
>     <mac protocolid='arp'/>
>   </rule>
> <!-- accept traffic only from specified MAC address -->
> <rule action='accept' direction='in'>
>                 <mac match='yes'
srcmacaddr='$GATEWAY_MAC'
> srcmacmask='$GATEWAY_MAC_MASK' />
>         </rule>
> <!-- allow traffic only to specified MAC address -->
>         <rule action='accept' direction='out'>
>                 <mac match='yes'
dstmacaddr='$GATEWAY_MAC'
> dstmacmask='$GATEWAY_MAC_MASK' />
>         </rule>
> <!-- preventing any other traffic than between specified MACs
> and ARP -->
>   <filterref filter='no-other-l2-traffic'/>
>
> <!-- allow qemu to send a self-announce upon migration end -->
> <filterref filter='qemu-announce-self'/>
> </filter>
>
>
> --
>
> ALES MUSIL
> INTERN - rhv network
>
> Red Hat EMEA <https://www.redhat.com/>
>
>
> amusil@redhat.com   IM: amusil
> <https://red.ht/sig>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users@redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users

On Thu, Jun 28, 2018 at 2:40 PM Daniel P. Berrangé <berrange@redhat.com>
wrote:
> On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote:
> > Hello,
> >
> > I would like to make filter that allows communication only between
> > specified VMs. Those VMs should be specified by their MAC address. The
> > filter should extend clean-traffic but I was not able to get it
working
> > with that reference. I have came up with modified clean-traffic which
> works
> > fine [1]. Is there a way to achieve the same behavior with reference
to
> > clean-traffic?
>
> Honestly I think the way you've done it is the right way.
"clean-traffic"
> is best thought of as a simple demo. If it does what you need, great, but
> we'd expect people to create their own filters for anything more
advanced.
> The clean-traffic rules were modularized so you can use <filterrefs>
to
> avoid too much duplication. So what you've done looks fine to me.
>
>
Alright, thank you.
> [1]
> > <filter name='clean-traffic-gateway'>
> > <!-- An example of a traffic filter enforcing clean traffic
> >         from a VM by
> >       - preventing MAC spoofing -->
> > <filterref filter='no-mac-spoofing'/>
> >
> > <!-- preventing IP spoofing on outgoing -->
> > <filterref filter='no-ip-spoofing'/>
> > <!-- preventing ARP spoofing/poisoning -->
> >   <filterref filter='no-arp-spoofing'/>
> > <!-- accept all other incoming and outgoing ARP traffic -->
> >   <rule action='accept' direction='inout'
priority='-500'>
> >     <mac protocolid='arp'/>
> >   </rule>
> > <!-- accept traffic only from specified MAC address -->
> > <rule action='accept' direction='in'>
> >                 <mac match='yes'
srcmacaddr='$GATEWAY_MAC'
> > srcmacmask='$GATEWAY_MAC_MASK' />
> >         </rule>
> > <!-- allow traffic only to specified MAC address -->
> >         <rule action='accept' direction='out'>
> >                 <mac match='yes'
dstmacaddr='$GATEWAY_MAC'
> > dstmacmask='$GATEWAY_MAC_MASK' />
> >         </rule>
> > <!-- preventing any other traffic than between specified MACs
> > and ARP -->
> >   <filterref filter='no-other-l2-traffic'/>
> >
> > <!-- allow qemu to send a self-announce upon migration end -->
> > <filterref filter='qemu-announce-self'/>
> > </filter>
> >
> >
> > --
> >
> > ALES MUSIL
> > INTERN - rhv network
> >
> > Red Hat EMEA <https://www.redhat.com/>
> >
> >
> > amusil@redhat.com   IM: amusil
> > <https://red.ht/sig>
>
> > _______________________________________________
> > libvirt-users mailing list
> > libvirt-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/libvirt-users
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-
> https://www.instagram.com/dberrange :|
>

-- 

ALES MUSIL
Associate Software Engineer - rhv network

Red Hat EMEA <https://www.redhat.com/>


amusil@redhat.com   IM: amusil
<https://red.ht/sig>

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com>
wrote:
> Hi Ales,
>
> I would like to prevent the guests from different subnets start a
> communication. In other words I have the subnet 192.168.1.0/24 and
> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
> guests on 192.168.2.0/24 at the same host. Is this possible using a
> filter like yours?
>
>
Hi Thiago,

so by definition guest from different subnets cannot talk to each other
directly unless they are connected via some router. That means you don't
need any filter for that. If there is a router between the networks and it
is needed for some cases then you could change the filter I have posted to
use IP restriction instead of MAC one e.g [2]. Have not tested it myself
but it should work fine.

Hopefully this helps.

Regards,
Ales.

[1]
<filter name='clean-traffic-ip-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
         from a VM by
       - preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>

<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
   <filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
   <rule action='accept' direction='inout'
priority='-500'>
     <mac protocolid='arp'/>
   </rule>
<!-- accept traffic only from specified MAC address -->
<rule action='drop' direction='in'>
                <ip match='yes' srcipaddr='$GATEWAY_IP'
srcipmask='$GATEWAY_IP_MASK' />
        </rule>
<!-- allow traffic only to specified MAC address -->
        <rule action='drop' direction='out'>
                <ip match='yes' dstipaddr='$GATEWAY_IP'
dstipmask='$GATEWAY_IP_MASK' />
        </rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
   <filterref filter='no-other-l2-traffic'/>

<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>





> Thank you.
>
> Thiago.
>
> Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com>
> escreveu:
>
>> Hello,
>>
>> I would like to make filter that allows communication only between
>> specified VMs. Those VMs should be specified by their MAC address. The
>> filter should extend clean-traffic but I was not able to get it working
>> with that reference. I have came up with modified clean-traffic which
works
>> fine [1]. Is there a way to achieve the same behavior with reference to
>> clean-traffic?
>>
>> Thank you.
>> Best wishes,
>> Ales Musil
>>
>> [1]
>> <filter name='clean-traffic-gateway'>
>> <!-- An example of a traffic filter enforcing clean traffic
>>         from a VM by
>>       - preventing MAC spoofing -->
>> <filterref filter='no-mac-spoofing'/>
>>
>> <!-- preventing IP spoofing on outgoing -->
>> <filterref filter='no-ip-spoofing'/>
>> <!-- preventing ARP spoofing/poisoning -->
>>   <filterref filter='no-arp-spoofing'/>
>> <!-- accept all other incoming and outgoing ARP traffic -->
>>   <rule action='accept' direction='inout'
priority='-500'>
>>     <mac protocolid='arp'/>
>>   </rule>
>> <!-- accept traffic only from specified MAC address -->
>> <rule action='accept' direction='in'>
>>                 <mac match='yes'
srcmacaddr='$GATEWAY_MAC'
>> srcmacmask='$GATEWAY_MAC_MASK' />
>>         </rule>
>> <!-- allow traffic only to specified MAC address -->
>>         <rule action='accept' direction='out'>
>>                 <mac match='yes'
dstmacaddr='$GATEWAY_MAC'
>> dstmacmask='$GATEWAY_MAC_MASK' />
>>         </rule>
>> <!-- preventing any other traffic than between specified MACs
>> and ARP -->
>>   <filterref filter='no-other-l2-traffic'/>
>>
>> <!-- allow qemu to send a self-announce upon migration end -->
>> <filterref filter='qemu-announce-self'/>
>> </filter>
>>
>>
>> --
>>
>> ALES MUSIL
>> INTERN - rhv network
>>
>> Red Hat EMEA <https://www.redhat.com/>
>>
>>
>> amusil@redhat.com   IM: amusil
>> <https://red.ht/sig>
>> _______________________________________________
>> libvirt-users mailing list
>> libvirt-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/libvirt-users
>
>
-- 

ALES MUSIL
Associate Software Engineer - rhv network

Red Hat EMEA <https://www.redhat.com/>


amusil@redhat.com   IM: amusil
<https://red.ht/sig>