subject:"\[ovirt\-users\] Re\: Network filters in oVirt \: zero\-trust, IP and port filtering"

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

2022-04-01 Thread ravi k

I've created the below filter. The intention is that it will allow incoming 
traffic only from SRCIP parameter and within the port range. 
However I'm still able to access the VM from other IPs as well. We are running 
oVirt 4.3 and the networks are vlan tagged. 

 virsh -r nwfilter-dumpxml clean-ip-port-filter

  f9d2ff6b-db31-41a0-8f1b-97dc0166c10a
  

  


Could it be because of the statement "VLAN (802.1Q) packets, if sent by a 
virtual machine, cannot be filtered with rules for protocol IDs arp, rarp, ipv4 
and ipv6 but only with protocol IDs mac and vlan." in 
https://libvirt.org/formatnwfilter.html?
If netfilters do not work with vlan packets, is there any other way I can 
implement such filtering?

Regards,
Ravi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/26QZXVTPR32XMZXXUZUXLAEGM6NK62DR/

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

2022-02-08 Thread Ales Musil

On Wed, Feb 9, 2022 at 7:25 AM ravi k  wrote:

> > you can use it from the engine under some conditions.
> > 1) You need to make sure that all hosts have this filter.
> > 2) You need to define this filter in engine DB otherwise you would need
> > some kind of hook to apply it.
>
> Thanks a lot for that. If there's any doc that hints on how to define the
> filter in the engine DB, can you please point me there?


This query should do the trick:
INSERT INTO network_filter VALUES (uuid_generate_v1(),
'clean-traffic-gateway' , '4.6');

Instead of  'clean-traffic-gateway' insert the name of your filter.
The third parameter is cluster version which you can find in your cluster
definition,
if you are past 4.4.6 it should be 4.6.

Once this is done you should see the filter available in the list on vNIC
profiles.



> Right now I'm creating a filter to test for this functionality. Once it's
> working I'll then try defining it in the DB.
> Also if it's working as expected we'll submit it to libvirt as well.
>

If the filter gets accepted to libvirt, feel free to open PR on
ovirt-engine to include this filter for other oVirt users.


>
> Regards,
> ravi
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/6DTFTTGNWTNRQQ3V2PMED6BMOKWPQJ66/
>

Regards,
Ales

-- 

Ales Musil

Senior Software Engineer - RHV Network

Red Hat EMEA 

amu...@redhat.comIM: amusil

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WKDM5HDZKQJ5C7PNDNDUJ4U7ZZP5CYLW/

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

2022-02-08 Thread ravi k

> you can use it from the engine under some conditions.
> 1) You need to make sure that all hosts have this filter.
> 2) You need to define this filter in engine DB otherwise you would need
> some kind of hook to apply it.

Thanks a lot for that. If there's any doc that hints on how to define the 
filter in the engine DB, can you please point me there? Right now I'm creating 
a filter to test for this functionality. Once it's working I'll then try 
defining it in the DB. 
Also if it's working as expected we'll submit it to libvirt as well. 

Regards,
ravi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6DTFTTGNWTNRQQ3V2PMED6BMOKWPQJ66/

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

2022-02-08 Thread Ales Musil

On Wed, Feb 9, 2022 at 6:54 AM ravi k  wrote:

> Good people of the community,
>

Hi,


> Hope you are all doing well. We are exploring the network filters in oVirt
> to check if we can implement a zero-trust model at the network level. The
> intention is to have a filter which takes two parameters, IP and PORT.
> After that there will be a 'deny all' rule. We realized that none of the
> default network filters offer such a functionality and the only option is
> to write a custom filter
>
Why don't we have such a filter in libvirt and thereby in oVirt? Someone
> would've already thought about such a use case. So I was thinking maybe
> network filters aren't meant to be used for implementing such
> functionalities like zero-trust?
>

You can definitely implement this filter on your own and if you feel like
it is a good solution send a patch to libvirt. oVirt really depends on what
is configured in libvirt, so if you define you filter
you can use it from the engine under some conditions.
1) You need to make sure that all hosts have this filter.
2) You need to define this filter in engine DB otherwise you would need
some kind of hook to apply it.


>
> Also what are some practical use cases of the default filters that are
> provided? I was able to understand and use the clean-traffic and
> clean-traffic-gateway.
>

You can read what the predefined filters can offer in
https://libvirt.org/formatnwfilter.html#nwfexamples


>
> Regards,
> ravi
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/J2PUNVD7N45X7YDE5UX2CXWGDEFDS46M/
>

Regards,
Ales

-- 

Ales Musil

Senior Software Engineer - RHV Network

Red Hat EMEA 

amu...@redhat.comIM: amusil

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DA3YUL4UXMIPAS4MRP75CON2TJYHSR63/

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

4 matches

Site Navigation

Mail list logo

Footer information