All, I'd like to filter network traffic of KVM guests.
case A: - no MAC / IP Spoofing - isolate guest, connections to the gateway only - no connection to the KVM host - no NAT - maybe contradictory: same subnet as KVM host case B: - no MAC / IP Spoofing - isolate guest, connections to the gateway only - no connection to the KVM host - no NAT - some guests should share a "private VLAN" What's the easiest way to separate KVM guests' traffic on the host? I read it's deprecated to use iptables on a linux bridge. [1] I don't like the libvirt (NAT) iptables rules. The default libvirt network connections aren't secure the way they are pre-configured. A good summary is in [2] (German only). Is Open vSwitch a viable solution? Can OVS ACLs (or firewall) be used instead of iptables? I'm a bit surprised, that I couldn't find more about it on this list. Chris [1] http://lists.gnu.org/archive/html/qemu-devel/2009-07/msg01592.html [2] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/Sicherheitsanalyse_KVM/Sicherheitsanalyse_KVM.pdf?__blob=publicationFile&v=3 -- Papst Franziskus ruft zum Kampf gegen Fake News auf. Wir finden, der Mann, der sich als Stellvertreter Christi ausgibt, von dem er behauptet, dessen Mutter sei zeitlebens Jungfrau gewesen, er hätte über Wasser gehen und selbiges in Wein verwandeln können, hat vollkommen recht.
