Request #4955

Add libvirt net filter "clean-traffic" to all interfaces by default

Added by Kristian Feldsam over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:12/23/2016
Priority:NormalDue date:
Assignee:-% Done:


Category:Drivers - Network
Target version:-
Pull request:


Will be good have by default implemented filtering for most bad things guest can do.

According this docs

The interesting one here is 'clean-traffic'. This pulls together all the building blocks into one filter that you can then associate with a guest NIC. This stops the most common bad things a guest might try, IP spoofing, arp spoofing and MAC spoofing.

Looks like simple implementation via deployment XML just by adding IP and FilterRef

<interface type='bridge'>
  <mac address='52:54:00:56:44:32'/>
  <source bridge='br1'/>
  <target dev='vnet0'/>
  <model type='virtio'/>
  <ip address=''/>
  <filterref filter='clean-traffic'/>

Please consider adding this feature request prior to 5.4 release. Thank you


#1 Updated by Kristian Feldsam about 4 years ago

  • Target version deleted (Release 5.4)

I figure out, that there is ipmac spoofing protection, so no need this

#2 Updated by Ruben S. Montero about 4 years ago

  • Status changed from Pending to Closed

Perfect Kristian, thanks for updating.

Closing this

Also available in: Atom PDF