Add a clean-traffic filterref to the libvirt templates to prevent spoofing and snooping attacks from the guests.

2 files changed, 6 insertions, 0 deletions

diff --git a/nova/virt/libvirt.qemu.xml.template b/nova/virt/libvirt.qemu.xml.template
index 307f9d03a..3de1e5009 100644
--- a/nova/virt/libvirt.qemu.xml.template
+++ b/nova/virt/libvirt.qemu.xml.template
@@ -20,6 +20,9 @@
             <source bridge='%(bridge_name)s'/>
             <mac address='%(mac_address)s'/>
             <!--   <model type='virtio'/>  CANT RUN virtio network right now -->
+            <filterref filter="clean-traffic">
+                <parameter name="IP" value="$(private_dns_name)s" />
+            </filterref>
         </interface>
         <serial type="file">
             <source path='%(basepath)s/console.log'/>
diff --git a/nova/virt/libvirt.uml.xml.template b/nova/virt/libvirt.uml.xml.template
index 6f4290f98..e64b172d8 100644
--- a/nova/virt/libvirt.uml.xml.template
+++ b/nova/virt/libvirt.uml.xml.template
@@ -14,6 +14,9 @@
         <interface type='bridge'>
             <source bridge='%(bridge_name)s'/>
             <mac address='%(mac_address)s'/>
+            <filterref filter="clean-traffic">
+                <parameter name="IP" value="$(private_dns_name)s" />
+            </filterref>
         </interface>
         <console type="pty" />
         <serial type="file">