libvirt users - Sep 2013 - how to setup network filter

Hi All,

I am new to libvirt and encounter a strange problem to set up network
filter in a NAT network.

I launched VMs in a single host using NAT, i.e. interface
type='network'. Now I want to control the outbound traffic from VM
instance - only allow the VM to asses a set of ip addresses. My
network filter xml is as follows. The problem is once I change the VM
xml, shutdown and start VM, VM cannot get ip address.
/var/log/libvirt/libvirt.log shows " error : virNetDevGetIndex:656 :
Unable to get index for interface vnet2: No such device" error.

But when I remove the drop rule in the filter xml, VM can get IP
address. I even tried the clean-traffic filter shipped with libvirt.
VM throws the same error above.

Any idea why this happens? How can I implement outbound traffic
control in libvirt? Thanks a lot.

<filter name='filter-test'>
  <rule action='accept' direction='in'
priority='500'>
    <tcp dstportstart='22'/>
  </rule>
  <rule action='accept' direction='out'
priority='500'>
    <ip dstipaddr='IP1'/>
  </rule>
  <rule action='accept' direction='out'
priority='500'>
    <ip dstipaddr='IP2'/>
  </rule>
  <rule action='drop' direction='out'
priority='500'>
    <all/>
  </rule>
</filter>

The VM network section XML looks like this

 <interface type='network'>
      <mac address='52:54:00:0d:f1:ce'/>
      <source network='default'/>
      <filterref filter='filter-test'/>
      <address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
function='0x0'/>
    </interface>

-- 
Regards,
Jiaan

2013/9/2 Jiaan Zeng <l.allen09@gmail.com>
> Hi All,
>
> I am new to libvirt and encounter a strange problem to set up network
> filter in a NAT network.
>
> I launched VMs in a single host using NAT, i.e. interface
> type='network'. Now I want to control the outbound traffic from VM
> instance - only allow the VM to asses a set of ip addresses. My
> network filter xml is as follows. The problem is once I change the VM
> xml, shutdown and start VM, VM cannot get ip address.
> /var/log/libvirt/libvirt.log shows " error : virNetDevGetIndex:656 :
> Unable to get index for interface vnet2: No such device" error.
>
> But when I remove the drop rule in the filter xml, VM can get IP
> address. I even tried the clean-traffic filter shipped with libvirt.
> VM throws the same error above.
>
> Any idea why this happens? How can I implement outbound traffic
> control in libvirt? Thanks a lot.
>
> <filter name='filter-test'>
>   <rule action='accept' direction='in'
priority='500'>
>     <tcp dstportstart='22'/>
>   </rule>
>   <rule action='accept' direction='out'
priority='500'>
>     <ip dstipaddr='IP1'/>
>   </rule>
>   <rule action='accept' direction='out'
priority='500'>
>     <ip dstipaddr='IP2'/>
>   </rule>
>   <rule action='drop' direction='out'
priority='500'>
>     <all/>
>   </rule>
> </filter>
>
> The VM network section XML looks like this
>
>  <interface type='network'>
>       <mac address='52:54:00:0d:f1:ce'/>
>       <source network='default'/>
>       <filterref filter='filter-test'/>
>       <address type='pci' domain='0x0000'
bus='0x00' slot='0x03'
> function='0x0'/>
>     </interface>
>
hello,perhaps this blog post will help you :-).