Hi. On Thu, May 17, 2018 at 08:11:06PM +0200, Chris wrote: > All, > > I'd like to filter network traffic of KVM guests. > > case A: > - no MAC / IP Spoofing > - isolate guest, connections to the gateway only > - no connection to the KVM host > - no NAT > - maybe contradictory: same subnet as KVM host
Either ebtables (for a conventional brigde) or macvtap in private mode will do it. Openvswitch will work too, but it's nowhere near in simplicity compared to macvtap. > case B: > - no MAC / IP Spoofing > - isolate guest, connections to the gateway only > - no connection to the KVM host > - no NAT > - some guests should share a "private VLAN" Ditto, but combine private macvtap with external reflector switch. > What's the easiest way to separate KVM guests' traffic on the host? > > I read it's deprecated to use iptables on a linux bridge. [1] Yup, you should not. Besides, iptables is for IP-based protocols anyway. There are ebtables if you really need to deal with the bridges. > I don't like the libvirt (NAT) iptables rules. The default libvirt > network connections aren't secure the way they are pre-configured. > A good summary is in [2] (German only). It's designed with desktop vitualization in mind, so it's no wonder it's unsuitable for anything even remotely looking like a server :). > Is Open vSwitch a viable solution? Can OVS ACLs (or firewall) be used > instead of iptables? You got it wrong. If you're implementing openvswtich, you *have* to utilize its flows instead of iptables. Openvswitch bypasses netfilter by design. Reco
