Request #4955
Add libvirt net filter "clean-traffic" to all interfaces by default
Status: | Closed | Start date: | 12/23/2016 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Drivers - Network | |||
Target version: | - | |||
Pull request: |
Description
Will be good have by default implemented filtering for most bad things guest can do.
According this docs https://libvirt.org/firewall.html#name-fw-network-filter-driver
The interesting one here is 'clean-traffic'. This pulls together all the building blocks into one filter that you can then associate with a guest NIC. This stops the most common bad things a guest might try, IP spoofing, arp spoofing and MAC spoofing.
Looks like simple implementation via deployment XML just by adding IP and FilterRef
<interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source bridge='br1'/> <target dev='vnet0'/> <model type='virtio'/> <ip address='10.33.8.131'/> <filterref filter='clean-traffic'/> </interface>
Please consider adding this feature request prior to 5.4 release. Thank you
History
#1 Updated by Kristian Feldsam about 4 years ago
- Target version deleted (
Release 5.4)
I figure out, that there is ipmac spoofing protection, so no need this
#2 Updated by Ruben S. Montero about 4 years ago
- Status changed from Pending to Closed
Perfect Kristian, thanks for updating.
Closing this