Re: [CentOS-virt] Network isolation for KVM guests (SOLVED)

2017-04-04 Thread Nux! 
Ok, sure.

For bridging physical with wireless you could use parprouted.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "C. L. Martinez" <carlopm...@gmail.com>
> To: "Discussion about the virtualization on CentOS" <centos-virt@centos.org>
> Sent: Tuesday, 4 April, 2017 11:27:07
> Subject: Re: [CentOS-virt] Network isolation for KVM guests (SOLVED)

> This can be if one of these interfaces isn't a wireless nic. But I need to 
> use a
> wireless nic and another phys nic.
> 
> At least, I have solved the problem using network namespaces. All works ok and
> expected now.
> 
> Many thanks to all for your help
> 
> On Tue, Apr 04, 2017 at 10:39:05AM +0100, Nux! wrote:
>> Just create a bridge, hook the host physical interface that you want in it, 
>> hook
>> the VMs interface in it, done.
>> No need for passthrough.
>> 
>> This can be done via libvirt/virsh or if a UI is wanted then virt-manager 
>> makes
>> this really easy.
>> 
>> Now assign an IP in the VM and it should work. You don't need to assign any 
>> IP
>> on he host interface itself. Rinse and repeat for the rest of the interfaces.
>> 
>> --
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
>> www.nux.ro
>> 
>> - Original Message -
>> > From: "C. L. Martinez" <carlopm...@gmail.com>
>> > To: "Discussion about the virtualization on CentOS" 
>> > <centos-virt@centos.org>
>> > Sent: Friday, 31 March, 2017 19:18:43
>> > Subject: Re: [CentOS-virt] Network isolation for KVM guests
>> 
>> > On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote:
>> >> On 31/03/17 15:55, C. L. Martinez wrote:
>> >> > I need to attach two physical interfaces to a guest and these phy 
>> >> > interfaces
>> >> > have IP and routes assigned and I need to get them off the main routing 
>> >> > table.
>> >> 
>> >> I do not understand this.
>> >> 
>> >> You can attach a physical (or virtual, doesn't matter), interface to any
>> >> given vm, without assigning routes or IPs to these interfaces directly.
>> > 
>> > No, I can't because this host doesn't support PCI passthrough. One of these
>> > interfaces is a wireless nic.
>> > 
>> >> 
>> >> Just do the network configuration inside the vm, and the routing, well
>> >> on your router? You will just need the route for the vm networks on your
>> >> host, but what is your attack scenario to keep this separated from other
>> >> routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.
>> > 
>> > How? If the same host routes Internet traffic in the main routing table I 
>> > expose
>> > host's services to Internet.
>> > 
>> >> 
>> >> --
>> >> Mit freundlichen Grüßen / Regards
>> >> 
>> >> Sven Kieske
>> >> 
>> >> Systemadministrator
>> >> Mittwald CM Service GmbH & Co. KG
>> >> Königsberger Straße 6
>> >> 32339 Espelkamp
>> >> T: +495772 293100
>> >> F: +495772 29
>> >> https://www.mittwald.de
>> >> Geschäftsführer: Robert Meyer
>> >> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
>> >> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad 
>> >> Oeynhausen
>> >> 
>> > 
>> > 
>> > 
>> > 
>> >> ___
>> >> CentOS-virt mailing list
>> >> CentOS-virt@centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos-virt
>> > 
>> > 
>> > --
>> > Greetings,
>> > C. L. Martinez
>> > ___
>> > CentOS-virt mailing list
>> > CentOS-virt@centos.org
>> > https://lists.centos.org/mailman/listinfo/centos-virt
>> ___
>> CentOS-virt mailing list
>> CentOS-virt@centos.org
>> https://lists.centos.org/mailman/listinfo/centos-virt
> 
> --
> Greetings,
> C. L. Martinez
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests (SOLVED)

2017-04-04 Thread C. L. Martinez 
This can be if one of these interfaces isn't a wireless nic. But I need to use 
a wireless nic and another phys nic.

At least, I have solved the problem using network namespaces. All works ok and 
expected now.

Many thanks to all for your help

On Tue, Apr 04, 2017 at 10:39:05AM +0100, Nux! wrote:
> Just create a bridge, hook the host physical interface that you want in it, 
> hook the VMs interface in it, done.
> No need for passthrough.
> 
> This can be done via libvirt/virsh or if a UI is wanted then virt-manager 
> makes this really easy.
> 
> Now assign an IP in the VM and it should work. You don't need to assign any 
> IP on he host interface itself. Rinse and repeat for the rest of the 
> interfaces.
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> - Original Message -
> > From: "C. L. Martinez" <carlopm...@gmail.com>
> > To: "Discussion about the virtualization on CentOS" <centos-virt@centos.org>
> > Sent: Friday, 31 March, 2017 19:18:43
> > Subject: Re: [CentOS-virt] Network isolation for KVM guests
> 
> > On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote:
> >> On 31/03/17 15:55, C. L. Martinez wrote:
> >> > I need to attach two physical interfaces to a guest and these phy 
> >> > interfaces
> >> > have IP and routes assigned and I need to get them off the main routing 
> >> > table.
> >> 
> >> I do not understand this.
> >> 
> >> You can attach a physical (or virtual, doesn't matter), interface to any
> >> given vm, without assigning routes or IPs to these interfaces directly.
> > 
> > No, I can't because this host doesn't support PCI passthrough. One of these
> > interfaces is a wireless nic.
> > 
> >> 
> >> Just do the network configuration inside the vm, and the routing, well
> >> on your router? You will just need the route for the vm networks on your
> >> host, but what is your attack scenario to keep this separated from other
> >> routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.
> > 
> > How? If the same host routes Internet traffic in the main routing table I 
> > expose
> > host's services to Internet.
> > 
> >> 
> >> --
> >> Mit freundlichen Grüßen / Regards
> >> 
> >> Sven Kieske
> >> 
> >> Systemadministrator
> >> Mittwald CM Service GmbH & Co. KG
> >> Königsberger Straße 6
> >> 32339 Espelkamp
> >> T: +495772 293100
> >> F: +495772 29
> >> https://www.mittwald.de
> >> Geschäftsführer: Robert Meyer
> >> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> >> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> >> 
> > 
> > 
> > 
> > 
> >> ___
> >> CentOS-virt mailing list
> >> CentOS-virt@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos-virt
> > 
> > 
> > --
> > Greetings,
> > C. L. Martinez
> > ___
> > CentOS-virt mailing list
> > CentOS-virt@centos.org
> > https://lists.centos.org/mailman/listinfo/centos-virt
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt

-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-04-04 Thread Nux! 
Just create a bridge, hook the host physical interface that you want in it, 
hook the VMs interface in it, done.
No need for passthrough.

This can be done via libvirt/virsh or if a UI is wanted then virt-manager makes 
this really easy.

Now assign an IP in the VM and it should work. You don't need to assign any IP 
on he host interface itself. Rinse and repeat for the rest of the interfaces.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "C. L. Martinez" <carlopm...@gmail.com>
> To: "Discussion about the virtualization on CentOS" <centos-virt@centos.org>
> Sent: Friday, 31 March, 2017 19:18:43
> Subject: Re: [CentOS-virt] Network isolation for KVM guests

> On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote:
>> On 31/03/17 15:55, C. L. Martinez wrote:
>> > I need to attach two physical interfaces to a guest and these phy 
>> > interfaces
>> > have IP and routes assigned and I need to get them off the main routing 
>> > table.
>> 
>> I do not understand this.
>> 
>> You can attach a physical (or virtual, doesn't matter), interface to any
>> given vm, without assigning routes or IPs to these interfaces directly.
> 
> No, I can't because this host doesn't support PCI passthrough. One of these
> interfaces is a wireless nic.
> 
>> 
>> Just do the network configuration inside the vm, and the routing, well
>> on your router? You will just need the route for the vm networks on your
>> host, but what is your attack scenario to keep this separated from other
>> routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.
> 
> How? If the same host routes Internet traffic in the main routing table I 
> expose
> host's services to Internet.
> 
>> 
>> --
>> Mit freundlichen Grüßen / Regards
>> 
>> Sven Kieske
>> 
>> Systemadministrator
>> Mittwald CM Service GmbH & Co. KG
>> Königsberger Straße 6
>> 32339 Espelkamp
>> T: +495772 293100
>> F: +495772 29
>> https://www.mittwald.de
>> Geschäftsführer: Robert Meyer
>> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
>> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
>> 
> 
> 
> 
> 
>> ___
>> CentOS-virt mailing list
>> CentOS-virt@centos.org
>> https://lists.centos.org/mailman/listinfo/centos-virt
> 
> 
> --
> Greetings,
> C. L. Martinez
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread C. L. Martinez 
On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote:
> On 31/03/17 15:55, C. L. Martinez wrote:
> > I need to attach two physical interfaces to a guest and these phy 
> > interfaces have IP and routes assigned and I need to get them off the main 
> > routing table.
> 
> I do not understand this.
> 
> You can attach a physical (or virtual, doesn't matter), interface to any
> given vm, without assigning routes or IPs to these interfaces directly.

No, I can't because this host doesn't support PCI passthrough. One of these 
interfaces is a wireless nic.

> 
> Just do the network configuration inside the vm, and the routing, well
> on your router? You will just need the route for the vm networks on your
> host, but what is your attack scenario to keep this separated from other
> routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.

How? If the same host routes Internet traffic in the main routing table I 
expose host's services to Internet.

> 
> -- 
> Mit freundlichen Grüßen / Regards
> 
> Sven Kieske
> 
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +495772 293100
> F: +495772 29
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> 




> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt


-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread Sven Kieske 
On 31/03/17 15:55, C. L. Martinez wrote:
> I need to attach two physical interfaces to a guest and these phy interfaces 
> have IP and routes assigned and I need to get them off the main routing table.

I do not understand this.

You can attach a physical (or virtual, doesn't matter), interface to any
given vm, without assigning routes or IPs to these interfaces directly.

Just do the network configuration inside the vm, and the routing, well
on your router? You will just need the route for the vm networks on your
host, but what is your attack scenario to keep this separated from other
routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.

-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +495772 293100
F: +495772 29
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen



signature.asc
Description: OpenPGP digital signature
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread C. L. Martinez 
On Fri, Mar 31, 2017 at 06:14:22AM -0400, Dima (Dan) Yasny wrote:
> On Fri, Mar 31, 2017 at 5:56 AM, C. L. Martinez 
> wrote:
> 
> > On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:
> > > Use libvirt with mac/ip spoofing enabled.
> > >
> > > https://libvirt.org/formatnwfilter.html
> > >
> > > https://libvirt.org/firewall.html
> > >
> > > --
> > > Sent from the Delta quadrant using Borg technology!
> > >
> > Thanks Nux and Kristian but I don't see if these solutions will be really
> > efective in my environment. Let me to explain. In this host I three
> > physical interfaces: eth0, eth1 and wlan0.
> >
> >  eth0 is connected to my internal network. eth1 is connected to a public
> > router and wlan0 is connected to another public router. wlan0 and eth1 are
> > bonded to provide failover Internet connections. CPU doesn't supports pci
> > passthrough (pci passthrough would solve my problems).
> >
> 
> If assigning a NIC directly to a VM would solve the problem, you could try
> using macvtap instead of PCI passthrough
> 
> 

Oops .. bad luck (according to https://access.redhat.com/solutions/1978833):

Does bridge/macvtap interfaces work on wireless interfaces in RHEL?
 SOLUTION VERIFIED - Updated October 2 2015 at 6:23 PM - English 
Environment

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Issue

If a bridge/macvtap interface is created using a wireless adapter, it fails to 
communicate. However, the wired physical ethernet card works without an issue
Resolution

Communication over an interface that's bridged with a wireless interface(Wi-Fi) 
won't work because most Access Points (APs) won't accept frames that have a 
source address that is not authenticated with the AP. The same holds true with 
APs that allow open authentication(without password)
Bridging can done only with physical ethernet controllers


-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread Dima (Dan) Yasny 
On Fri, Mar 31, 2017 at 5:56 AM, C. L. Martinez 
wrote:

> On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:
> > Use libvirt with mac/ip spoofing enabled.
> >
> > https://libvirt.org/formatnwfilter.html
> >
> > https://libvirt.org/firewall.html
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> Thanks Nux and Kristian but I don't see if these solutions will be really
> efective in my environment. Let me to explain. In this host I three
> physical interfaces: eth0, eth1 and wlan0.
>
>  eth0 is connected to my internal network. eth1 is connected to a public
> router and wlan0 is connected to another public router. wlan0 and eth1 are
> bonded to provide failover Internet connections. CPU doesn't supports pci
> passthrough (pci passthrough would solve my problems).
>

If assigning a NIC directly to a VM would solve the problem, you could try
using macvtap instead of PCI passthrough


>
>  I need to deploy a fw vm to control traffic between internal and external
> interfaces. In BSD systems you can seggregate all ip address and route
> tables from principal routing table. It is the same effect that I would
> like to implement in this host.
>
>  And I don't see how to implement using CentOS (or another linux distro).
>
> --
> Greetings,
> C. L. Martinez
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
>
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread Richard Landsman - Rimote 

Hi,

I don't see why this should not work with the given solutions. But I'm 
relatively new to KVM / libvirt. Alternative:


Personally I use Shorewall (Shoreline FW) and bridge setups (also works 
with a bonding interface). This way you can create zones, interfaces, 
addresses, forwarding-rules etc and give per VM permission to let's say 
only use a certain IP, only access certain parts of the network, talk to 
a certain limited list of IPs etc. I can not imagine you can't create 
what you want with Shorewall. It looks complicated, but actually is very 
intuitive if you give it some time and effort.


Please feel free to provide a better description of what you want to 
accomplish. Maybe I misunderstand what you want to achieve.


--
Met vriendelijke groet,

Richard Landsman
http://rimote.nl

T: +31 (0)50 - 763 04 07
(ma-vr 9:00 tot 18:00)

24/7 bij storingen:
+31 (0)6 - 4388 7949
@RimoteSaS (Twitter Serviceberichten/security updates)

On 03/31/2017 11:56 AM, C. L. Martinez wrote:

On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:

Use libvirt with mac/ip spoofing enabled.

https://libvirt.org/formatnwfilter.html

https://libvirt.org/firewall.html

--
Sent from the Delta quadrant using Borg technology!


Thanks Nux and Kristian but I don't see if these solutions will be really 
efective in my environment. Let me to explain. In this host I three physical 
interfaces: eth0, eth1 and wlan0.

  eth0 is connected to my internal network. eth1 is connected to a public 
router and wlan0 is connected to another public router. wlan0 and eth1 are 
bonded to provide failover Internet connections. CPU doesn't supports pci 
passthrough (pci passthrough would solve my problems).

  I need to deploy a fw vm to control traffic between internal and external 
interfaces. In BSD systems you can seggregate all ip address and route tables 
from principal routing table. It is the same effect that I would like to 
implement in this host.

  And I don't see how to implement using CentOS (or another linux distro).



___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread C. L. Martinez 
On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:
> Use libvirt with mac/ip spoofing enabled.
> 
> https://libvirt.org/formatnwfilter.html
> 
> https://libvirt.org/firewall.html
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
Thanks Nux and Kristian but I don't see if these solutions will be really 
efective in my environment. Let me to explain. In this host I three physical 
interfaces: eth0, eth1 and wlan0.

 eth0 is connected to my internal network. eth1 is connected to a public router 
and wlan0 is connected to another public router. wlan0 and eth1 are bonded to 
provide failover Internet connections. CPU doesn't supports pci passthrough 
(pci passthrough would solve my problems).

 I need to deploy a fw vm to control traffic between internal and external 
interfaces. In BSD systems you can seggregate all ip address and route tables 
from principal routing table. It is the same effect that I would like to 
implement in this host.

 And I don't see how to implement using CentOS (or another linux distro). 

-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-30 Thread Nux! 
Use libvirt with mac/ip spoofing enabled.

https://libvirt.org/formatnwfilter.html

https://libvirt.org/firewall.html

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "C. L. Martinez" <carlopm...@gmail.com>
> To: centos-virt@centos.org
> Sent: Thursday, 30 March, 2017 15:06:58
> Subject: [CentOS-virt] Network isolation for KVM guests

> Hi all,
> 
> What options exists under CentOS hosts to work with isolated networks?. For
> example, on BSD systems it is really trivial. In FreeBSD you can use setfib
> tools and on OpenBSD it is possible to use rdomain options. In 30 secs it is
> possible to work with isolated networks and assign process, ip address and
> routes (hidden from the main route table and ip addresses), etc.
> 
> But I can't find a similar solution for CentOS environments. I have found two
> similar options:
> 
> a/ Network namespaces (but doesn't provides a real network isolation)
> b/ VRF (but it is supported only for kernels 4.8 and up)
> 
> Any ideas?
> 
> Thanks.
> 
> --
> Greetings,
> C. L. Martinez
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-30 Thread Kristián Feldsam 
for KVM guests I use VLANs

S pozdravem Kristián Feldsam
Tel.: +420 773 303 353
E-mail.: ad...@feldhost.cz

www.feldhost.cz - FeldHost poskytuje kvalitní hostingové a serverové služby za 
příznivou cenu.

FELDSAM s.r.o.
V rohu 434/3
Praha 4 – Libuš, PSČ 142 00
IČ: 290 60 958, DIČ: CZ290 60 958
C 200350 vedená u Městského soudu v Praze

Banka: Fio banka a.s.
Číslo účtu: 2400330446/2010
BIC: FIOBCZPPXX
IBAN: CZ82 2010  0024 0033 0446

> On 30 Mar 2017, at 16:06, C. L. Martinez  wrote:
> 
> Hi all,
> 
> What options exists under CentOS hosts to work with isolated networks?. For 
> example, on BSD systems it is really trivial. In FreeBSD you can use setfib 
> tools and on OpenBSD it is possible to use rdomain options. In 30 secs it is 
> possible to work with isolated networks and assign process, ip address and 
> routes (hidden from the main route table and ip addresses), etc.
> 
> But I can't find a similar solution for CentOS environments. I have found two 
> similar options:
> 
> a/ Network namespaces (but doesn't provides a real network isolation)
> b/ VRF (but it is supported only for kernels 4.8 and up)
> 
> Any ideas?
> 
> Thanks.
> 
> -- 
> Greetings,
> C. L. Martinez
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt

___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

[CentOS-virt] Network isolation for KVM guests

2017-03-30 Thread C. L. Martinez 
Hi all,

 What options exists under CentOS hosts to work with isolated networks?. For 
example, on BSD systems it is really trivial. In FreeBSD you can use setfib 
tools and on OpenBSD it is possible to use rdomain options. In 30 secs it is 
possible to work with isolated networks and assign process, ip address and 
routes (hidden from the main route table and ip addresses), etc.

 But I can't find a similar solution for CentOS environments. I have found two 
similar options:

 a/ Network namespaces (but doesn't provides a real network isolation)
 b/ VRF (but it is supported only for kernels 4.8 and up)

 Any ideas?

Thanks.

-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt