Add libvirt net filter "clean-traffic" to all interfaces by default
|Category:||Drivers - Network|
Will be good have by default implemented filtering for most bad things guest can do.
According this docs https://libvirt.org/firewall.html#name-fw-network-filter-driver
The interesting one here is 'clean-traffic'. This pulls together all the building blocks into one filter that you can then associate with a guest NIC. This stops the most common bad things a guest might try, IP spoofing, arp spoofing and MAC spoofing.
Looks like simple implementation via deployment XML just by adding IP and FilterRef
<interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source bridge='br1'/> <target dev='vnet0'/> <model type='virtio'/> <ip address='10.33.8.131'/> <filterref filter='clean-traffic'/> </interface>
Please consider adding this feature request prior to 5.4 release. Thank you