rpms / libvirt

Clone
Source Code
GIT

Blame SOURCES/libvirt-examples-Add-clean-traffic-gateway-into-nwfilters.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale
  1.   c480ed3b22f500ee4b0bf976b2a0e5d4d2ac5847
  2.   SOURCES
  3.   libvirt-examples-Add-clean-traffic-gateway-into-nwfilters.patch
Blob History Raw
edecca 
From 8eb23363ec3f89792c638c72832ff99ae5ec8169 Mon Sep 17 00:00:00 2001
edecca 
Message-Id: <8eb23363ec3f89792c638c72832ff99ae5ec8169@dist-git>
edecca 
From: Ales Musil <amusil@redhat.com>
edecca 
Date: Sun, 29 Jul 2018 16:56:18 +0200
edecca 
Subject: [PATCH] examples: Add clean-traffic-gateway into nwfilters
edecca 
MIME-Version: 1.0
edecca 
Content-Type: text/plain; charset=UTF-8
edecca 
Content-Transfer-Encoding: 8bit
edecca
edecca 
The filter purpose is to simulate isolated private VLAN.
edecca
edecca 
The behavior can be achieved by limiting network traffic
edecca 
to traffic between VM and gateway. Because there is no
edecca 
concept of the PVLAN in the linux bridge.
edecca
edecca 
The filter also contains parts from clean-traffic
edecca 
to prevent VM from spoofing its IP and MAC address.
edecca
edecca 
To use this filter the user just needs to set
edecca 
the GATEWAY_MAC variable to gateway MAC address.
edecca
edecca 
Signed-off-by: Ales Musil <amusil@redhat.com>
edecca 
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
edecca 
(cherry picked from commit ac01fbc90b7eb4ccc7a6140d618d1a3859365155)
edecca
edecca 
https://bugzilla.redhat.com/show_bug.cgi?id=1603115
edecca
edecca 
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
edecca 
Reviewed-by: Ján Tomko <jtomko@redhat.com>
edecca 
---
edecca 
 .../xml/nwfilter/clean-traffic-gateway.xml    | 34 +++++++++++++++++++
edecca 
 1 file changed, 34 insertions(+)
edecca 
 create mode 100644 examples/xml/nwfilter/clean-traffic-gateway.xml
edecca
edecca 
diff --git a/examples/xml/nwfilter/clean-traffic-gateway.xml b/examples/xml/nwfilter/clean-traffic-gateway.xml
edecca 
new file mode 100644
edecca 
index 0000000000..b8c204041a
edecca 
--- /dev/null
edecca 
+++ b/examples/xml/nwfilter/clean-traffic-gateway.xml
edecca 
@@ -0,0 +1,34 @@
edecca 
+<filter name='clean-traffic-gateway'>
edecca 
+
edecca 
+            from a VM by
edecca 
+              - preventing MAC spoofing -->
edecca 
+    <filterref filter='no-mac-spoofing'/>
edecca 
+
edecca 
+
edecca 
+    <filterref filter='no-ip-spoofing'/>
edecca 
+
edecca 
+
edecca 
+    <filterref filter='no-arp-spoofing'/>
edecca 
+
edecca 
+
edecca 
+    <rule action='accept' direction='inout' priority='-500'>
edecca 
+        <mac protocolid='arp'/>
edecca 
+    </rule>
edecca 
+
edecca 
+
edecca 
+    <rule action='accept' direction='in'>
edecca 
+        <mac match='yes' srcmacaddr='$GATEWAY_MAC'/>
edecca 
+    </rule>
edecca 
+
edecca 
+
edecca 
+    <rule action='accept' direction='out'>
edecca 
+        <mac match='yes' dstmacaddr='$GATEWAY_MAC'/>
edecca 
+    </rule>
edecca 
+
edecca 
+
edecca 
+    and ARP -->
edecca 
+    <filterref filter='no-other-l2-traffic'/>
edecca 
+
edecca 
+
edecca 
+    <filterref filter='qemu-announce-self'/>
edecca 
+</filter>
edecca 
--
edecca 
2.18.0
edecca

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation