Network filters in oVirt : zero-trust, IP and port filtering
Good people of the community, Hope you are all doing well. We are exploring the network filters in oVirt to check if we can implement a zero-trust model at the network level. The intention is to have a filter which takes two parameters, IP and PORT. After that there will be a 'deny all' rule. We realized that none of the default network filters offer such a functionality and the only option is to write a custom filter. Why don't we have such a filter in libvirt and thereby in oVirt? Someone would've already thought about such a use case. So I was thinking maybe network filters aren't meant to be used for implementing such functionalities like zero-trust? Also what are some practical use cases of the default filters that are provided? I was able to understand and use the clean-traffic and clean-traffic-gateway. Regards, ravi
On Wed, Feb 9, 2022 at 6:54 AM ravi k <kottapar@gmail.com> wrote:
Good people of the community,
Hi,
Hope you are all doing well. We are exploring the network filters in oVirt to check if we can implement a zero-trust model at the network level. The intention is to have a filter which takes two parameters, IP and PORT. After that there will be a 'deny all' rule. We realized that none of the default network filters offer such a functionality and the only option is to write a custom filter
Why don't we have such a filter in libvirt and thereby in oVirt? Someone
would've already thought about such a use case. So I was thinking maybe network filters aren't meant to be used for implementing such functionalities like zero-trust?
You can definitely implement this filter on your own and if you feel like it is a good solution send a patch to libvirt. oVirt really depends on what is configured in libvirt, so if you define you filter you can use it from the engine under some conditions. 1) You need to make sure that all hosts have this filter. 2) You need to define this filter in engine DB otherwise you would need some kind of hook to apply it.
Also what are some practical use cases of the default filters that are provided? I was able to understand and use the clean-traffic and clean-traffic-gateway.
You can read what the predefined filters can offer in https://libvirt.org/formatnwfilter.html#nwfexamples
Regards, ravi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/J2PUNVD7N45X7Y...
Regards, Ales -- Ales Musil Senior Software Engineer - RHV Network Red Hat EMEA <https://www.redhat.com> amusil@redhat.com IM: amusil <https://red.ht/sig>
you can use it from the engine under some conditions. 1) You need to make sure that all hosts have this filter. 2) You need to define this filter in engine DB otherwise you would need some kind of hook to apply it.
Thanks a lot for that. If there's any doc that hints on how to define the filter in the engine DB, can you please point me there? Right now I'm creating a filter to test for this functionality. Once it's working I'll then try defining it in the DB. Also if it's working as expected we'll submit it to libvirt as well. Regards, ravi
On Wed, Feb 9, 2022 at 7:25 AM ravi k <kottapar@gmail.com> wrote:
you can use it from the engine under some conditions. 1) You need to make sure that all hosts have this filter. 2) You need to define this filter in engine DB otherwise you would need some kind of hook to apply it.
Thanks a lot for that. If there's any doc that hints on how to define the filter in the engine DB, can you please point me there?
This query should do the trick: INSERT INTO network_filter VALUES (uuid_generate_v1(), 'clean-traffic-gateway' , '4.6'); Instead of 'clean-traffic-gateway' insert the name of your filter. The third parameter is cluster version which you can find in your cluster definition, if you are past 4.4.6 it should be 4.6. Once this is done you should see the filter available in the list on vNIC profiles.
Right now I'm creating a filter to test for this functionality. Once it's working I'll then try defining it in the DB. Also if it's working as expected we'll submit it to libvirt as well.
If the filter gets accepted to libvirt, feel free to open PR on ovirt-engine to include this filter for other oVirt users.
Regards, ravi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6DTFTTGNWTNRQQ...
Regards, Ales -- Ales Musil Senior Software Engineer - RHV Network Red Hat EMEA <https://www.redhat.com> amusil@redhat.com IM: amusil <https://red.ht/sig>
I've created the below filter. The intention is that it will allow incoming traffic only from SRCIP parameter and within the port range. However I'm still able to access the VM from other IPs as well. We are running oVirt 4.3 and the networks are vlan tagged. virsh -r nwfilter-dumpxml clean-ip-port-filter <filter name='clean-ip-port-filter' chain='root'> <uuid>f9d2ff6b-db31-41a0-8f1b-97dc0166c10a</uuid> <rule action='accept' direction='in' priority='500'> <tcp srcipaddr='$SRCIP' dstportstart='$PORTSTART' dstportend='$PORTEND'/> </rule> </filter> Could it be because of the statement "VLAN (802.1Q) packets, if sent by a virtual machine, cannot be filtered with rules for protocol IDs arp, rarp, ipv4 and ipv6 but only with protocol IDs mac and vlan." in https://libvirt.org/formatnwfilter.html? If netfilters do not work with vlan packets, is there any other way I can implement such filtering? Regards, Ravi
participants (2)
-
Ales Musil -
ravi k