examples: Add clean-traffic-gateway into nwfilters

The filter purpose is to simulate isolated private VLAN.

The behavior can be achieved by limiting network traffic
to traffic between VM and gateway. Because there is no
concept of the PVLAN in the linux bridge.

The filter also contains parts from clean-traffic
to prevent VM from spoofing its IP and MAC address.

To use this filter the user just needs to set
the GATEWAY_MAC variable to gateway MAC address.

Signed-off-by: Ales Musil <amusil@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>

diff --git a/examples/xml/nwfilter/clean-traffic-gateway.xml b/examples/xml/nwfilter/clean-traffic-gateway.xml
new file mode 100644 (file)
index 0000000..b8c2040
--- /dev/null
+++ b/examples/xml/nwfilter/clean-traffic-gateway.xml
@@ -0,0 +1,34 @@
+<filter name='clean-traffic-gateway'>
+    <!-- An example of a traffic filter enforcing clean traffic
+            from a VM by
+              - preventing MAC spoofing -->
+    <filterref filter='no-mac-spoofing'/>
+
+    <!-- preventing IP spoofing on outgoing -->
+    <filterref filter='no-ip-spoofing'/>
+
+    <!-- preventing ARP spoofing/poisoning -->
+    <filterref filter='no-arp-spoofing'/>
+
+    <!-- accept all other incoming and outgoing ARP traffic -->
+    <rule action='accept' direction='inout' priority='-500'>
+        <mac protocolid='arp'/>
+    </rule>
+
+    <!-- accept traffic only from specified MAC address -->
+    <rule action='accept' direction='in'>
+        <mac match='yes' srcmacaddr='$GATEWAY_MAC'/>
+    </rule>
+
+    <!-- allow traffic only to specified MAC address -->
+    <rule action='accept' direction='out'>
+        <mac match='yes' dstmacaddr='$GATEWAY_MAC'/>
+    </rule>
+
+    <!-- preventing any other traffic than between specified MACs
+    and ARP -->
+    <filterref filter='no-other-l2-traffic'/>
+
+    <!-- allow qemu to send a self-announce upon migration end -->
+    <filterref filter='qemu-announce-self'/>
+</filter>