Network filters

 

 

 


說明

The network traffic filtering rules are applied on the host when a virtual machine is started

Network filters are referenced by virtual machines from within their interface description.

  ...
  <devices>
    <interface type='bridge'>
      <mac address='00:16:3e:5d:c7:9e'/>
      <filterref filter='clean-traffic'/>
    </interface>
  </devices>
  ...

filter XML can be parameterized with variables.

  ...
  <devices>
    <interface type='bridge'>
      <mac address='00:16:3e:5d:c7:9e'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value='10.0.0.1'/>
      </filterref>
    </interface>
  </devices>
  ...

# rule

  ...
  <rule action='accept' direction='in' priority='500'>
    <tcp srpipaddr='$IP'/>
  </rule>
  ...

Since 0.9.10

  ...
  <rule action='accept' direction='in' priority='500'>
    <ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/>
  </rule>
  ...

  SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
  DSTPORTS = [ 80, 8080 ]

virsh nwfilter-list

UUID                                  Name
----------------------------------------------------------------
c397cdbf-2c1f-d2a0-bfda-123a8cfb19d3  allow-arp
20542fdc-eb39-8775-8250-961e9f31d1ad  allow-dhcp
84e70183-7d6c-2285-1199-747a15de40a4  allow-dhcp-server
9a6b5107-1e14-d842-1946-a3ff55a384ff  allow-incoming-ipv4
50b523b0-6e4d-db3f-2df6-5b08e53c38f8  allow-ipv4
807832e3-927f-0204-198d-2bb1d51c8774  clean-traffic
d2b539ca-8b3c-4d64-16d0-a45b5c9e9f33  no-arp-ip-spoofing
b64b2e3e-63af-bdb4-8f43-ccf468412e92  no-arp-mac-spoofing
2edd5f80-acfe-0117-1b62-2a1c9338abaa  no-arp-spoofing
b068ebc1-01e1-7a1c-48cd-76f8bd4de18a  no-ip-multicast
0b7048c4-3316-96b8-2d7e-f6bd5d856138  no-ip-spoofing
7e891c8a-4f27-8aba-a6e6-85401b0f1765  no-mac-broadcast
969146f3-2ef4-09dd-bfd7-d2c1e9008d7f  no-mac-spoofing
24e6ddf6-cd61-68ce-d9d7-5519827f7246  no-other-l2-traffic
b9967f54-075e-94b4-8dfa-cb96e33b1617  no-other-rarp-traffic
b69bfe70-4c1b-0c61-60ab-6f6890ea17f2  qemu-announce-self
b24747e3-7f00-a67f-2ffb-54e97fb5f99f  qemu-announce-self-rarp

nwfilter-dumpxml nwfilter-name

nwfilter-dumpxml allow-dhcp
<filter name='allow-dhcp' chain='ipv4' priority='-700'>
  <uuid>20542fdc-eb39-8775-8250-961e9f31d1ad</uuid>
  <rule action='accept' direction='out' priority='100'>
    <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
  </rule>
  <rule action='accept' direction='in' priority='100'>
    <ip protocol='udp' srcportstart='67' dstportstart='68'/>
  </rule>
</filter>

P.S.

A chain with a lower priority value is accessed before one with a higher value.

 

nwfilter-define xmlfile

nwfilter-undefine nwfilter-name

# editor supplied by $EDITOR environment
# virsh nwfilter-dumpxml myfilter > myfilter.xml
# vi myfilter.xml
# virsh nwfilter-define myfilter.xml
nwfilter-edit nwfilter-name

 


Filtering chains

 

root -> mac stp -> vlan -> arp(-500),rarp(-400) -> ipv4(-700)

 


Automatic IP address detection (CTRL_IP_LEARNING)

# to specify the IP address learning method to use(any(default), dhcp, or none)
# any => only detect a single IP address (first packet sent by the VM)

<parameter name='CTRL_IP_LEARNING' value='dhcp'/>

 


References to other filters

<filter name='clean-traffic'>
    <filterref filter='no-mac-spoofing'/>
    <filterref filter='no-ip-spoofing'/>
    <filterref filter='allow-incoming-ipv4'/>
</filter>

no-arp-spoofing
# Prevent a VM from spoofing ARP traffic; this filter only allows ARP request and reply messages and enforces that those packets contain the MAC and IP addresses of the VM.

allow-dhcp
# Allow a VM to request an IP address via DHCP (from any DHCP server)

allow-dhcp-server
# Allow a VM to request an IP address from a specified DHCP server. The dotted decimal IP address of the DHCP server must be provided in a reference to this filter. The name of the variable must be DHCPSERVER.

no-ip-spoofing
# Prevent a VM from sending of IP packets with a source IP address different from the one in the packet.

no-ip-multicast
# Prevent a VM from sending IP multicast packets.

clean-traffic
# Prevent MAC, IP and ARP spoofing. This filter references several other filters as building blocks.