Request #4955

Add libvirt net filter "clean-traffic" to all interfaces by default

Added by Kristian Feldsam over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:12/23/2016
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Drivers - Network
Target version:-
Pull request:

Description

Will be good have by default implemented filtering for most bad things guest can do.

According this docs https://libvirt.org/firewall.html#name-fw-network-filter-driver

The interesting one here is 'clean-traffic'. This pulls together all the building blocks into one filter that you can then associate with a guest NIC. This stops the most common bad things a guest might try, IP spoofing, arp spoofing and MAC spoofing.

Looks like simple implementation via deployment XML just by adding IP and FilterRef

<interface type='bridge'>
  <mac address='52:54:00:56:44:32'/>
  <source bridge='br1'/>
  <target dev='vnet0'/>
  <model type='virtio'/>
  <ip address='10.33.8.131'/>
  <filterref filter='clean-traffic'/>
</interface>

Please consider adding this feature request prior to 5.4 release. Thank you

History

#1 Updated by Kristian Feldsam about 4 years ago

  • Target version deleted (Release 5.4)

I figure out, that there is ipmac spoofing protection, so no need this

#2 Updated by Ruben S. Montero about 4 years ago

  • Status changed from Pending to Closed

Perfect Kristian, thanks for updating.

Closing this

Also available in: Atom PDF