18.12.11.4. Pre-existing network filters
The following is a list of example network filters that are automatically installed with libvirt:
Command Name | Description |
---|---|
no-arp-spoofing | Prevents a guest virtual machine from spoofing ARP traffic; this filter only allows ARP request and reply messages and enforces that those packets contain the MAC and IP addresses of the guest virtual machine. |
allow-dhcp | Allows a guest virtual machine to request an IP address via DHCP (from any DHCP server) |
allow-dhcp-server | Allows a guest virtual machine to request an IP address from a specified DHCP server. The dotted decimal IP address of the DHCP server must be provided in a reference to this filter. The name of the variable must be DHCPSERVER. |
no-ip-spoofing | Prevents a guest virtual machine from sending IP packets with a source IP address different from the one inside the packet. |
no-ip-multicast | Prevents a guest virtual machine from sending IP multicast packets. |
clean-traffic | Prevents MAC, IP and ARP spoofing. This filter references several other filters as building blocks. |
These filters are only building blocks and require a combination with other filters to provide useful network traffic filtering. The most used one in the above list is the clean-traffic filter. This filter itself can for example be combined with the no-ip-multicast filter to prevent virtual machines from sending IP multicast traffic on top of the prevention of packet spoofing.