|
 |
9c6c51 |
From 8eb23363ec3f89792c638c72832ff99ae5ec8169 Mon Sep 17 00:00:00 2001
|
|
|
9c6c51 |
Message-Id: <8eb23363ec3f89792c638c72832ff99ae5ec8169@dist-git>
|
|
|
9c6c51 |
From: Ales Musil <amusil@redhat.com>
|
|
|
9c6c51 |
Date: Sun, 29 Jul 2018 16:56:18 +0200
|
|
|
9c6c51 |
Subject: [PATCH] examples: Add clean-traffic-gateway into nwfilters
|
|
|
9c6c51 |
MIME-Version: 1.0
|
|
|
9c6c51 |
Content-Type: text/plain; charset=UTF-8
|
|
|
9c6c51 |
Content-Transfer-Encoding: 8bit
|
|
|
9c6c51 |
|
|
|
9c6c51 |
The filter purpose is to simulate isolated private VLAN.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
The behavior can be achieved by limiting network traffic
|
|
|
9c6c51 |
to traffic between VM and gateway. Because there is no
|
|
|
9c6c51 |
concept of the PVLAN in the linux bridge.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
The filter also contains parts from clean-traffic
|
|
|
9c6c51 |
to prevent VM from spoofing its IP and MAC address.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
To use this filter the user just needs to set
|
|
|
9c6c51 |
the GATEWAY_MAC variable to gateway MAC address.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
Signed-off-by: Ales Musil <amusil@redhat.com>
|
|
|
9c6c51 |
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
|
|
|
9c6c51 |
(cherry picked from commit ac01fbc90b7eb4ccc7a6140d618d1a3859365155)
|
|
|
9c6c51 |
|
|
|
9c6c51 |
https://bugzilla.redhat.com/show_bug.cgi?id=1603115
|
|
|
9c6c51 |
|
|
|
9c6c51 |
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
|
|
|
9c6c51 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
9c6c51 |
---
|
|
|
9c6c51 |
.../xml/nwfilter/clean-traffic-gateway.xml | 34 +++++++++++++++++++
|
|
|
9c6c51 |
1 file changed, 34 insertions(+)
|
|
|
9c6c51 |
create mode 100644 examples/xml/nwfilter/clean-traffic-gateway.xml
|
|
|
9c6c51 |
|
|
|
9c6c51 |
diff --git a/examples/xml/nwfilter/clean-traffic-gateway.xml b/examples/xml/nwfilter/clean-traffic-gateway.xml
|
|
|
9c6c51 |
new file mode 100644
|
|
|
9c6c51 |
index 0000000000..b8c204041a
|
|
|
9c6c51 |
--- /dev/null
|
|
|
9c6c51 |
+++ b/examples/xml/nwfilter/clean-traffic-gateway.xml
|
|
|
9c6c51 |
@@ -0,0 +1,34 @@
|
|
|
9c6c51 |
+<filter name='clean-traffic-gateway'>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ from a VM by
|
|
|
9c6c51 |
+ - preventing MAC spoofing -->
|
|
|
9c6c51 |
+ <filterref filter='no-mac-spoofing'/>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ <filterref filter='no-ip-spoofing'/>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ <filterref filter='no-arp-spoofing'/>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ <rule action='accept' direction='inout' priority='-500'>
|
|
|
9c6c51 |
+ <mac protocolid='arp'/>
|
|
|
9c6c51 |
+ </rule>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ <rule action='accept' direction='in'>
|
|
|
9c6c51 |
+ <mac match='yes' srcmacaddr='$GATEWAY_MAC'/>
|
|
|
9c6c51 |
+ </rule>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ <rule action='accept' direction='out'>
|
|
|
9c6c51 |
+ <mac match='yes' dstmacaddr='$GATEWAY_MAC'/>
|
|
|
9c6c51 |
+ </rule>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ and ARP -->
|
|
|
9c6c51 |
+ <filterref filter='no-other-l2-traffic'/>
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+
|
|
|
9c6c51 |
+ <filterref filter='qemu-announce-self'/>
|
|
|
9c6c51 |
+</filter>
|
|
|
9c6c51 |
--
|
|
|
9c6c51 |
2.18.0
|
|
|
9c6c51 |
|