libvirt mac/ip filtering

[RRJ]

Hi,

Sorry for asking here, maybe this was covered in wiki or elsewhere, but I was not able to find it.

Does proxmox support something like this?
http://libvirt.org/formatnwfilter.html

 

[dietmar]

No, currently not (there is some experimental code in git, but nothing usable).

 

[RRJ]

Sad.I'm currently looking for cloud platform to offer IaaS or virtual machines. Have a lot of experience with Proxmox as enterprise level virt. solution and like it a lot. But it seems it is hard to implement it for public cloud services? Or there are some ways to restrict user to use only IP that was given to him by DHCP server? Currently spoofing is very serious problem, that have to be solved.

 

[henning]

I'm looking for the same thing. Would love to see it in proxmox.

 

[mo_]

It looks like you can do most of this, if not everything, with iptables on the host. iptables really is your friend for anything and everything. its like the emacs of networking

 

[henning]

Thanks!

Yes, looks like you can do it with iptables and ebtables. However the libvirt filter seems to be the most sophisticated approach.

 

[mir]

1) Creating a vlan and bind this vlan to a bridge
2) Connect a VM to this bridge
3) Distribute IP's through DHCP
4) iptables using -m mac --mac-source

Everything wrapped inside one or more scripts.

 

[mo_]

I also found -m physdev --physdev vethXXX.0 to be working nicely so you dont even have to worry about the macs