tip for inter-KVM VMs traffic filtering with PF running on separate box

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

tip for inter-KVM VMs traffic filtering with PF running on separate box

Jiri B-2
Hi,

I'm curious how to filter inter-VMs (running on Linux KVM host) traffic
on a remote bare-metal host running OpenBSD and PF. Any tip?

So, there would be a Linux KVM host running various VMs and separate
OpenBSD box and I'd like to achieve that all traffic betweens those VMs
running on that Linux box is sent to OpenBSD box which does PF and "switching".

libvirt docs says (about vepa-type bridging on Linux):

~~~
vepa
All VMs' packets are sent to the external bridge. Packets
whose destination is a VM on the same host as where the packet
originates from are sent back to the host by the VEPA capable bridge
(today's bridges are typically not VEPA capable).
~~~

Problem is, as they say, many bridges/network switches are not VEPA capable.

So what could I do?

Could I use vxlan/openvswitch and connect it to OpenBSD...

I'm little bit lost about all pieces in this area.

Thanks for you tips and comments.

j.